Skip to main content

Server-Side Request Forgery

web HIGH

Server-Side Request Forgery exploits applications that fetch remote resources based on user-supplied URLs.

How It Works

Server-Side Request Forgery exploits applications that fetch remote resources based on user-supplied URLs. When a web server accepts a URL parameter to retrieve external content—for example, to proxy images, validate webhooks, or import data—an attacker can manipulate that parameter to make the server send requests to unintended destinations. The critical issue is that these requests originate from the server itself, bypassing firewalls and network controls that would block direct external access.

Attacks come in several forms. Direct SSRF gives the attacker full control over the destination URL, allowing them to target internal services like http://localhost:8080/admin or cloud metadata endpoints at http://169.254.169.254/latest/meta-data/. Blind SSRF occurs when the application makes the request but doesn't return the response to the attacker—they must rely on timing differences or out-of-band techniques to confirm success. Partial SSRF restricts the attacker to modifying only part of the URL, such as the hostname or path, requiring more creative exploitation.

The typical attack flow starts with identifying URL parameters that trigger server-side requests. The attacker then probes for internal services by injecting internal IP addresses or localhost references. Common targets include administrative interfaces, internal REST APIs, Redis or Memcached instances, and especially cloud metadata services that expose IAM credentials. Attackers often employ bypass techniques like encoding IPs in decimal format (2130706433 for 127.0.0.1), exploiting URL parser discrepancies between validation and execution layers, or chaining with open redirects to evade basic filters.

Impact

  • Access to internal services that should be network-isolated—admin panels, monitoring dashboards, configuration endpoints
  • Cloud credential theft via metadata APIs, particularly AWS IAM role credentials exposed at 169.254.169.254
  • Reading local files through file:// protocol support, exposing configuration files and source code
  • Network reconnaissance to map internal infrastructure and identify additional attack targets
  • Remote code execution on back-end systems like Redis or Elasticsearch that accept commands over HTTP
  • Pivoting deeper into internal networks by using the compromised server as a proxy for further attacks

Real-World Examples

Capital One suffered a massive breach in 2019 when an attacker exploited SSRF in a web application firewall to query AWS metadata services, stealing credentials that granted access to over 100 million customer records. The vulnerability allowed requests to the internal metadata endpoint that should have been unreachable.

Shopify's infrastructure exposed internal Google Cloud metadata in 2020 through an image proxy feature. Security researchers demonstrated they could retrieve service account credentials by tricking the proxy into fetching from the metadata API, potentially compromising the entire GCP environment.

Numerous CVEs in enterprise products highlight SSRF in common features: webhook validators in GitLab, PDF generators that fetch remote images, and document conversion services. These typically manifest when URL validation assumes all requests will target external internet resources, failing to anticipate internal network abuse.

Mitigation

  • Allowlist approved destination domains rather than trying to blocklist dangerous ones—only permit necessary external services
  • Disable unnecessary URL schemes entirely (file://, gopher://, dict://)—restrict to https:// only where possible
  • Network segmentation to prevent application servers from reaching internal infrastructure—use separate VLANs or VPCs
  • Deploy cloud metadata protections like AWS IMDSv2 requiring session tokens, making metadata unavailable to simple HTTP requests
  • Validate and parse URLs consistently using a single library, then verify resolved IP addresses aren't private ranges
  • Remove response bodies from errors to prevent information disclosure in blind SSRF scenarios

Recent CVEs (2848)

CVSS 5.7
MEDIUM PATCH This Month

SSRF filter bypass in CKAN MCP Server (@aborruso/ckan-mcp-server) allows a low-privileged remote MCP caller to reach loopback and private network addresses by supplying hostname aliases such as 'ip6-localhost' as the server_url parameter to CKAN tools like ckan_package_search and sparql_query. The prior remediation for CVE-2026-33060 hardened only against dotted IPv4 literals, bracketed IPv6 literals, and the exact string 'localhost', leaving non-canonical loopback aliases unblocked in src/utils/http.ts. No public exploit code has been identified at time of analysis, and no active exploitation has been confirmed by CISA KEV; however, the bypass technique is straightforward given knowledge of the prior fix.

SSRF
NVD GitHub
EPSS 0% CVSS 5.1
MEDIUM POC This Month

Server-side request forgery in NocoBase through v2.1.20 allows authenticated administrators to issue arbitrary outbound HTTP requests via the serverRequest wrapper, enabling internal network enumeration and cloud instance metadata exfiltration. The attack surface spans workflow request nodes, custom request action buttons, and the AI plugin - all of which accept administrator-supplied URLs without adequate server-side validation. A publicly available proof-of-concept exists per VulnCheck reporting; no CISA KEV listing is present, indicating no confirmed widespread active exploitation at time of analysis, though the IAM credential theft potential elevates real-world impact significantly for cloud-hosted deployments.

SSRF Nocobase
NVD GitHub
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Server-side request forgery in QuantumNous New API (an open-source LLM API gateway/proxy) lets any authenticated low-privilege user coerce the server into making HTTP requests to internal or cloud-metadata IP addresses via notification URL configuration. Because the default SSRF protection (ApplyIPFilterForDomain disabled) validated only the literal hostname against domain allow/block lists and never resolved and re-checked the destination IP, a user could set Webhook, Bark, or Gotify notification URLs whose hostname points at internal services. No public exploit identified at time of analysis; the flaw is fixed in v0.12.0-alpha.1 and rated High (CVSS 7.7).

SSRF
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Server-Side Request Forgery (SSRF) in Coolify's GitHub App integration exposes internal network services and cloud metadata endpoints to authenticated low-privilege users. Versions prior to 4.0.0-beta.471 allow any authenticated user to set the GithubApp api_url field to an arbitrary URL - including RFC 1918 private addresses or cloud instance metadata endpoints like 169.254.169.254 - which Coolify then fetches server-side without restriction. No public exploit identified at time of analysis, but the attack pattern is well understood and particularly dangerous in cloud-hosted deployments where metadata endpoints may expose IAM credentials.

SSRF Coolify
NVD GitHub VulDB
EPSS 0% CVSS 4.9
MEDIUM PATCH This Month

Server-Side Request Forgery (SSRF) in Coolify prior to v4.0.0-beta.474 enables an authenticated user holding storage management permissions to coerce the application server into issuing HTTP requests to arbitrary internal addresses, including cloud instance metadata services. The vulnerable code path is Coolify's S3 storage endpoint testConnection() function, which blindly fetches the caller-supplied URL after only superficial format validation. No public exploit or CISA KEV listing exists at time of analysis, but cloud-hosted deployments face elevated risk because successful exploitation can expose cloud provider credentials via metadata endpoints such as AWS IMDSv1.

SSRF Coolify
NVD GitHub
EPSS 0% CVSS 9.2
CRITICAL PATCH Act Now

Prompt-to-Cypher injection in Langroid's Neo4jChatAgent (pip package langroid <= 0.65.4) lets anyone who can influence the agent's prompt — directly, or indirectly through content pulled in via RAG — steer arbitrary Cypher into the Neo4j driver with no validation or opt-out gate, allowing unauthorized read, modification, and full destruction of all graph data, plus a LOAD CSV SSRF/remote-fetch primitive. When APOC or dbms.security procedures are granted to the database role, the same primitive escalates to OS-command and filesystem access, making it RCE-equivalent and matching the Critical parent issue CVE-2026-25879. No public weaponized exploit is identified at time of analysis, though the GHSA advisory documents a static grep-based reproduction; no KEV or EPSS signal is present in the source data.

SSRF SQLi
NVD GitHub
CVSS 7.6
HIGH PATCH This Week

Arbitrary file read in OpenRemote's KNXProtocol asset-import handler lets any authenticated user (PR:L, any realm) upload a malicious ETS project ZIP whose 0.xml is parsed via Saxon XSLT and XMLInputFactory without XXE hardening, resolving external entities to exfiltrate server files such as /etc/passwd, openmrs-runtime.properties, and cloud credential files, with SSRF against internal endpoints as a secondary impact. This is an incomplete-fix regression of CVE-2026-40882, which only hardened the parallel Velbus handler and left KNXProtocol's two XML parsing calls unprotected. A full working proof-of-concept reproducing both parsing stages is publicly available; the vulnerability is not listed in CISA KEV.

XXE SSRF Java +1
NVD GitHub
MEDIUM PATCH This Month

Unauthenticated SSRF in Dragonfly's scheduler v1 gRPC service allows any remote client to force the scheduler to issue HTTP GET requests to arbitrary internal addresses, including loopback (127.0.0.1), cloud metadata endpoints (169.254.0.0/16), and RFC1918 ranges. The scheduler's `DownloadTinyFile()` function constructs HTTP requests from attacker-controlled `PeerHost.Ip` and `PeerHost.DownPort` gRPC fields with no destination address validation, and stores up to 128 bytes of each fetched response in `Task.DirectPiece`, which is subsequently served to other peers. The input tag of 'RCE' in the source intelligence is incorrect - this is a read-SSRF with a limited exfiltration path, not remote code execution. A fully confirmed proof-of-concept exists against v2.4.4-rc.2; no patched release version has been identified at time of analysis.

SSRF RCE
NVD GitHub
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Server-side request forgery in Crawl4AI's Docker API server (versions prior to 0.9.0) lets a remote unauthenticated client coerce the server into fetching attacker-chosen internal, private, or link-local URLs and streaming the response body back. The SSRF destination allowlist check was enforced on the non-streaming /crawl path but omitted from the streaming code path, so requests to POST /crawl/stream - or POST /crawl with crawler_config.stream=true - bypass validation entirely. No public exploit identified at time of analysis, but the fix is public in commit 60886d1 and the root cause (a guard applied to one path but not its sibling) is trivial to reproduce.

SSRF Docker Crawl4ai
NVD GitHub
EPSS 0% CVSS 4.6
MEDIUM PATCH This Month

Build-time SSRF in Hugo static site generator (v0.162.0-v0.163.0) allows bypass of the `security.http.urls` IP-block policy by supplying loopback or cloud-metadata addresses in alternate IPv4 encodings - integer, hex, or octal - that the deny rule does not recognize but the cgo system resolver silently normalizes and resolves. Templates invoking `resources.GetRemote` with attacker-influenced or data-derived URLs can reach internal services and cloud-metadata endpoints (e.g., AWS IMDSv1) at build time, a particularly acute risk in CI pipelines and hosted build services where instance credentials are accessible. No public exploit has been identified and the vulnerability is not listed in CISA KEV, but the fix is available in v0.163.1.

SSRF Hugo
NVD GitHub VulDB
CVSS 7.1
HIGH POC PATCH This Week

Server-side request forgery in flyto-core (Python pip package) lets an authenticated workflow author bypass the built-in SSRF guard by encoding internal targets as IPv6 transition-form literals (IPv4-mapped `::ffff:127.0.0.1`, 6to4 `2002::/16`, or NAT64 `64:ff9b::/96`), causing the `http.get` atomic module and ~10 sibling fetch modules to perform outbound reads against loopback, RFC 1918, and cloud instance-metadata endpoints and return the response body. The reporter provides a full working end-to-end reproduction against a clean install of default-branch HEAD, so publicly available exploit code exists, though there is no evidence of active exploitation and no CISA KEV listing. CVSS 3.1 base is 7.1 (High); no EPSS score was supplied.

SSRF Python Google
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Server-Side Request Forgery in the Anti-Virus for ownCloud extension (versions before 1.2.3, shipping with ownCloud 10 prior to 10.15.3) lets an authenticated high-privileged user coerce the server into issuing attacker-controlled requests, with a scope-changed CVSS of 9.1 reflecting reach into internal systems. The flaw was reported through ownCloud's security advisory program (GHSA-3wg4-mg27-hj4w); there is no public exploit identified at time of analysis and it is not listed in CISA KEV. A vendor-released patch exists: Anti-Virus for ownCloud 1.2.3 / ownCloud 10.15.3.

SSRF Anti Virus For Owncloud Owncloud 10
NVD GitHub VulDB
EPSS 0% CVSS 8.5
HIGH PATCH This Week

Server-side request forgery escalating to remote code execution in the SharePoint for ownCloud app (versions prior to 0.4.1, bundled with ownCloud 10 before 10.15.3) lets an already-authenticated administrator coerce the server into making attacker-controlled requests that ultimately run arbitrary code on the host. The flaw is tagged RCE/SSRF and carries an 8.5 CVSS with a scope change (S:C), reflecting that abuse of the SharePoint integration crosses a trust boundary into the underlying system. No public exploit identified at time of analysis and it is not listed in CISA KEV, so this is a patch-and-move-on issue rather than an active-threat emergency.

SSRF Microsoft RCE +2
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Server-side request forgery and secret disclosure in the Apache Camel camel-iggy consumer (versions 4.17.0-4.18.2 and 4.19.0-4.20.x) allow an actor able to publish to a consumed Iggy stream to inject Camel control headers such as CamelHttpUri into the Exchange. When the consumer feeds a downstream HTTP producer, the attacker redirects the server-side request to internal services or cloud metadata endpoints, and because the producer resolves Camel property placeholders on the attacker-controlled URI, environment variables, application properties, and vault secrets are exfiltrated. No public exploit identified at time of analysis, and EPSS is low (0.15%), but the confidentiality impact is rated High.

Hashicorp SSRF Microsoft +2
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Server-side request forgery and secret disclosure in Apache Camel's camel-atmosphere-websocket component allow a remote attacker to hijack downstream server-side HTTP requests by injecting Camel control headers as WebSocket query parameters. Affecting Camel 4.0.0-4.14.7, 4.15.0-4.18.2 and 4.19.0-4.20.x, the flaw lets an attacker set CamelHttpUri to redirect internal HTTP calls (e.g., to cloud metadata endpoints) and force resolution of Camel property placeholders, leaking environment variables, application properties and vault secrets. Where the WebSocket endpoint is exposed without authentication the issue is unauthenticated (CVSS 7.5); there is no public exploit identified at time of analysis and EPSS is low (0.24%).

Hashicorp SSRF Microsoft +2
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Server-side request forgery in the Apache Camel camel-dns component lets any HTTP client control DNS lookups when a route bridges an HTTP consumer (e.g. platform-http) into a dns: producer. Because the dns.server, dns.name, dns.domain, dns.type, dns.class and term headers lack the Camel/camel prefix, HttpHeaderFilterStrategy does not strip them at the HTTP boundary, so an attacker can point the resolver at an attacker-controlled DNS server and enumerate internal hostnames. It affects Camel 4.0.0-4.14.7, 4.15.0-4.18.2 and 4.19.0-4.20.x; no public exploit identified at time of analysis, and EPSS is low (0.15%), but SSVC rates the flaw automatable with total technical impact.

SSRF Microsoft Apache +1
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Server-side request forgery and parameter/field injection in the Apache Camel camel-solr component (versions 4.0.0 through 4.14.7, 4.15.0 through 4.18.2, and 4.19.0 through 4.20.x) allow remote attackers to hijack Solr requests issued by a Camel route. Because the SolrParam. and SolrField. header prefixes lack the Camel/camel namespace, HttpHeaderFilterStrategy does not strip them at the HTTP boundary, so any client hitting a route that bridges an HTTP consumer (e.g. platform-http) into a solr: producer can inject arbitrary Solr parameters - notably shards or stream.url to force the Solr server into attacker-chosen outbound requests (internal services, cloud metadata endpoints), or qt to reach admin handlers - and inject arbitrary indexed-document fields. Rated CVSS 9.1; there is no public exploit identified at time of analysis and EPSS is low (0.18%), but SSVC marks the flaw as automatable with total technical impact.

SSRF Microsoft Apache +1
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Server-side request forgery and secret disclosure in Apache Camel's camel-vertx-websocket component (versions 4.0.0-4.14.7, 4.15.0-4.18.2, and 4.19.0-4.20.x) let a WebSocket client inject Camel-internal control headers such as CamelHttpUri because inbound query/path parameters are copied into the Exchange header map without a HeaderFilterStrategy. In routes that bridge the WebSocket consumer into a downstream HTTP producer, an attacker can redirect the server-side HTTP request to internal services or cloud metadata endpoints, and because the HTTP producer resolves Camel property placeholders on the attacker-supplied URI, environment variables, application properties, and vault secrets are resolved and exfiltrated. When the WebSocket endpoint is exposed without authentication (PR:N per CVSS), this is reachable by an unauthenticated remote attacker; there is no public exploit identified at time of analysis, and EPSS is low at 0.24%.

Hashicorp SSRF Microsoft +2
NVD VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

Server-side request forgery in the mcp-wiki/wiki-summary component of AIAnytime Awesome-MCP-Server (up to commit a884bb51) allows a remote, low-privileged attacker to manipulate the `url` argument in `mcp-wiki/src/mcp_wiki/server.py`, causing the server to issue arbitrary HTTP requests to internal or external resources on the attacker's behalf. Successful exploitation can expose internal services, cloud metadata endpoints, or other backend infrastructure inaccessible from the public internet. A publicly available exploit exists (POC confirmed via GitHub issue #35); this CVE is not currently listed in CISA KEV. The CVSS 4.0 score of 5.3 reflects a moderate severity with low-privilege authentication required and partial confidentiality, integrity, and availability impact.

SSRF Awesome Mcp Server
NVD VulDB GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Server-Side Request Forgery (SSRF) via HTTP redirect in Gitea's repository migration feature affects all versions through 1.25.4, allowing an authenticated attacker to coerce the Gitea server into issuing HTTP requests to arbitrary internal network destinations by supplying a crafted migration URL that redirects to an internal address. The CVSS score of 6.5 (C:H) reflects that successful exploitation can expose sensitive internal service responses - including cloud metadata endpoints, internal APIs, or other intranet services - to the attacker. No public exploit or CISA KEV listing has been identified at time of analysis; a vendor patch is available in v1.26.3 and v1.26.4.

SSRF Gitea Open Source Git Server
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Server-side request forgery in Microsoft Edge (Chromium-based) versions before 150.0.4078.48 enables unauthenticated remote attackers to perform network spoofing by inducing the browser to issue forged requests on behalf of a victim. The attack requires user interaction - a victim must visit or interact with attacker-controlled content - after which the browser can be coerced into making unauthorized requests that manipulate resource integrity or availability. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog at time of analysis; a vendor-released patch is available.

SSRF Microsoft Google +1
NVD VulDB
EPSS 1% CVSS 7.4
HIGH PATCH This Week

Server-side request forgery in Microsoft Edge (Chromium-based) lets a remote, unauthenticated attacker coax a victim's browser into issuing forged network requests, enabling spoofing and disclosure of sensitive data over the network. Exploitation requires user interaction (visiting or interacting with attacker-controlled content), and the CVSS scope-change flag indicates the browser can be pivoted to reach resources beyond its own security boundary. No public exploit identified at time of analysis (CVSS E:U), but a vendor fix is already available and the finding is vendor-confirmed (RC:C).

SSRF Microsoft Google +1
NVD VulDB
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

Server-side request forgery in Microsoft Edge (Chromium-based) prior to version 150.0.4078.48 allows unauthenticated network attackers to perform spoofing by inducing a victim user to visit a malicious page, causing the browser to issue forged requests to internal or external resources. The confidentiality impact is rated High (CVSS C:H), indicating that sensitive data accessible via the browser's network context may be exfiltrated through the SSRF channel. No public exploit code has been identified and the vulnerability is not listed in the CISA KEV catalog at time of analysis.

SSRF Microsoft Google +1
NVD VulDB
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Server-side request forgery in Gitea versions up to and including 1.26.2 lets authenticated users abuse incomplete allow-list filtering in the webhook and repository-migration features to coerce the server into making requests to internal or otherwise restricted network destinations. Because the existing SSRF protection is incomplete rather than absent, attackers can craft addresses that bypass the allow-list checks to reach services that should be unreachable from outside. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV; a vendor patch is available in Gitea 1.26.3.

SSRF Gitea Gitea Open Source Git Server
NVD GitHub
EPSS 0% CVSS 8.5
HIGH PATCH This Week

Server-side request forgery in Eclipse Theia (version 1.26.0 and later) lets a low-privileged user connected to the /services messaging endpoint coerce the backend into fetching an attacker-supplied URL and returning the full response body, exposing localhost admin interfaces and cloud instance metadata that sit behind the browser network boundary. The flaw is exploitable by any client with access to the Theia service connection, making multi-tenant and publicly-reachable deployments the primary concern. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

SSRF Eclipse Theia
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM This Month

Server-Side Request Forgery in WP Import Export Lite (all versions ≤ 3.9.30) allows authenticated administrators to bypass WordPress's native SSRF protections and reach internal network resources, including cloud instance metadata endpoints. The bypass exploits a design flaw: when WordPress's wp_safe_remote_get() correctly blocks a private-range URL and returns a WP_Error, the plugin's Download::download_file() method interprets that error as a cue to retry the original attacker-supplied URL via GuzzleHttp with no filtering and TLS verification disabled. No public exploit is identified at time of analysis and no CISA KEV listing exists, but the cloud credential theft scenario on hosted WordPress environments elevates practical impact beyond the 5.5 base score.

WordPress SSRF Wp Import Export Lite
NVD VulDB
EPSS 1% CVSS 8.8
HIGH PATCH NO ACTION HOSTED Monitor

Privilege elevation in Microsoft's Azure OpenAI service allows an authorized (low-privileged) attacker to abuse a server-side request forgery flaw (CWE-918) to force the service backend to issue attacker-controlled network requests, resulting in high confidentiality, integrity, and availability impact. The flaw carries CVSS 8.8 and requires only low privileges over the network with no user interaction, but currently shows no public exploit identified at time of analysis and a modest EPSS of 0.62%. Because Azure OpenAI is a Microsoft-hosted cloud service, remediation is delivered server-side by the vendor rather than requiring customer patching.

SSRF Microsoft Azure Open Ai
NVD VulDB
EPSS 1% CVSS 8.8
HIGH PATCH NO ACTION HOSTED Monitor

Privilege escalation via server-side request forgery affects the Microsoft Entra Provisioning Service (SyncFabric), where an authenticated attacker with low privileges can coerce the service into making attacker-controlled network requests to reach internal endpoints and elevate privileges across the identity provisioning fabric. Microsoft has released a fix through MSRC; there is no public exploit identified at time of analysis, and SSVC rates exploitation as none with an EPSS of 0.64%. The high CVSS of 8.8 is driven by total technical impact (C:H/I:H/A:H) against a cloud identity control plane.

SSRF Microsoft Microsoft Entra Provisioning Service
NVD VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Server-side request forgery in AutoBangumi before 3.2.8 allows unauthenticated remote attackers to probe internal network services by submitting arbitrary host values to the unprotected POST /api/v1/setup/test-downloader endpoint during the application's initial setup window. The server issues outbound HTTP GET requests to attacker-controlled targets - including internal or reserved IP ranges - and leaks reachability data through echoed connection-error responses, enabling internal network mapping. No active exploitation is confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis; the CVSS 4.0 base score is 6.9 (Medium), reflecting unauthenticated network access with limited confidentiality impact.

SSRF Auto Bangumi
NVD GitHub VulDB
EPSS 0% CVSS 8.3
HIGH POC PATCH This Week

Server-side request forgery in LobeChat before 2.2.10-canary.18 lets authenticated users coerce the server into issuing internal HTTP requests to attacker-chosen URLs, enabling disclosure of internal service responses and cloud credentials from instance metadata endpoints. The flaw stems from two endpoints - skill import (importFromUrl) and topic cover update (fetchImageFromUrl) - calling the global fetch instead of the project's ssrf-safe-fetch wrapper. Publicly available exploit code exists and a vendor patch has shipped, though it is not listed in CISA KEV.

SSRF Lobehub
NVD GitHub
HIGH PATCH This Week

HTTPS-enforcement bypass in the @asymmetric-effort/specifyjs Node.js library (fixed in v0.2.136) allows the internal assertSecureUrl guard to be defeated: when new URL() throws a parse error, the function returned silently instead of throwing, letting an unvalidated request proceed without the intended HTTPS/SSRF check. Attackers who can influence the URL passed into secure-fetch can supply a malformed value to skip validation, enabling server-side request forgery or protocol downgrade. This is a defense-control-bypass flaw with no CVSS score assigned and no public exploit identified at time of analysis.

SSRF
NVD GitHub
EPSS 0% CVSS 9.9
CRITICAL PATCH Act Now

Privilege escalation via Server-Side Request Forgery in Ubiquiti's UniFi Protect Application allows a low-privileged, network-adjacent attacker to coerce the application into making attacker-controlled requests and escalate to control of the host device. The CVSS 9.9 rating is driven by a scope change (S:C) plus full confidentiality, integrity, and availability impact, meaning the SSRF crosses a security boundary from the application into the underlying host. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV; EPSS data was not provided.

SSRF Ubiquiti Unifi Protect Application
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Server-Side Request Forgery in Ubiquiti's UniFi Talk Application allows a network-positioned attacker to coerce the application into making unintended internal requests, resulting in a Denial of Service and an authentication bypass against certain UniFi Talk API endpoints. The flaw carries CVSS 7.5 (scope-changed, high availability impact) and is reachable by remote attackers without authentication (PR:N), though a high attack complexity (AC:H) constrains reliable exploitation. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

SSRF Ubiquiti Denial Of Service +1
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Privilege escalation via Server-Side Request Forgery affects Ubiquiti UniFi OS devices and the UniFi OS Server across the Dream Machine, Dream Router, Cloud Gateway, Cloud Key, Enterprise Fortress/Firewall, and NVR/EVR product lines running versions below 5.1.19. A low-privileged user with network access can coerce the device into making attacker-controlled internal requests, leveraging the SSRF to reach privileged internal services and elevate to higher privileges within the appliance. No public exploit identified at time of analysis, EPSS risk is low (0.20%, 10th percentile), and the flaw is not listed in CISA KEV, but a vendor patch is available.

SSRF Ubiquiti Unifi Os Server +11
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Server-Side Request Forgery (SSRF) in the GeoDirectory WordPress plugin (versions 2.8.161 and earlier) allows authenticated subscribers to force the server to issue arbitrary internal or external HTTP requests. Because the vulnerability is accessible at the lowest WordPress registered-user privilege level (subscriber), any registered site user can trigger it without elevated permissions. No public exploit or CISA KEV entry has been identified at time of analysis, but the Scope:Changed CVSS rating confirms the impact extends beyond the WordPress application itself to backend infrastructure reachable from the server.

SSRF Geodirectory
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Server-Side Request Forgery in the Paid Member Subscriptions WordPress plugin (versions 3.0.4 and earlier by Cozmoslabs) lets remote unauthenticated attackers coerce the WordPress server into issuing arbitrary outbound HTTP requests. Per the CVSS vector (PR:N, S:C) the flaw is reachable without authentication and crosses a security boundary, enabling attackers to reach internal-only services, cloud metadata endpoints, or other back-end systems the WordPress host can talk to. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; EPSS was not provided.

SSRF Paid Member Subscriptions
NVD
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Server-Side Request Forgery in liboauth2 prior to version 2.3.0 allows an unauthenticated attacker to force any application using the AWS ALB JWT verification path to issue GET requests to arbitrary internal network paths. The vulnerability exists because the `oauth2_jose_jwks_aws_alb_resolve()` function reads the unverified `kid` JWT header field and appends it directly to the configured `alb_base_url` - without URL encoding or path sanitization - before any cryptographic signature check occurs. No public exploit code has been identified at time of analysis, but the low attack complexity and zero privilege requirement make this a meaningful risk for AWS-integrated deployments where liboauth2 handles ALB token verification.

SSRF Liboauth2
NVD GitHub VulDB
EPSS 0% CVSS 8.2
HIGH This Week

Server-side request forgery and OIDC token forgery in Eclipse CSI PIA lets an unauthenticated attacker abuse a flawed Jenkins issuer allowlist (a bare `startswith('https://ci.eclipse.org')` check in `is_issuer_known`, pia/models.py:139) to redirect OIDC discovery and JWKS fetches to an attacker-controlled host. By posting a crafted issuer such as `https://ci.eclipse.org@evil.host` or `https://ci.eclipse.org.evil.host` to `POST /v1/upload/sbom`, an attacker forces PIA to make outbound requests to arbitrary hosts and to accept a JWT signed with the attacker's own key, effectively bypassing token verification. No public exploit identified at time of analysis, but the flaw is unauthenticated and network-reachable, and the CVSS 3.1 base score is 8.2.

SSRF Jenkins Eclipse Csi Pia
NVD
CVSS 8.1
HIGH POC PATCH This Week

Apify API token exfiltration in @apify/actors-mcp-server 0.10.7 lets a remote attacker steal a victim's bearer credential via URL authority injection (CWE-918/SSRF). Because getActorMCPServerURL() naively concatenates a trusted standby base URL with an attacker-controlled webServerMcpPath from an Actor definition, an Actor published with a value like '@attacker.example/mcp' causes the WHATWG URL parser to resolve the outbound connection to the attacker's host, and connectMCPClient() unconditionally forwards the victim's 'Authorization: Bearer <APIFY_TOKEN>' header there. Publicly available exploit code exists (a Docker-based PoC that captures the token on an attacker HTTPS server); no active exploitation is confirmed.

Python SSRF OpenSSL +3
NVD GitHub
CVSS 7.5
HIGH PATCH This Week

Credential leakage in oras-go v2 (oras.land/oras-go) lets a malicious or compromised OCI registry steal a client's Authorization credentials by returning a cross-host Location header during monolithic blob upload; oras-go follows the redirect and reuses the original bearer/basic credentials on the PUT to the attacker-controlled host, also yielding client-side SSRF to an arbitrary cross-host target. Any Go application that pushes artifacts using oras-go v2.6.0 (and likely earlier v2.x) is affected. Rated CVSS 7.5 (High); no CISA KEV listing and no public exploitation, but the reporter includes a local proof-of-concept reproduction harness (poc.zip), and a fixed release (v2.6.1) is available.

SSRF Canonical
NVD GitHub
LOW PATCH Monitor

Unvalidated bearer realm URL handling in oras-go v2 ≤ 2.6.0 enables two distinct attack primitives against users who run oras operations against a malicious, compromised, or man-in-the-middle'd registry: server-side request forgery (SSRF) to internal network endpoints including cloud instance metadata services, and TLS downgrade that exposes user credentials in plaintext. The OCI distribution spec legitimately allows cross-host realm references for split-auth deployments (e.g., Docker Hub's auth.docker.io pattern), but oras-go failed to block private IP literals, loopback addresses, and scheme downgrades from https to http - patterns that are never legitimate under any valid registry trust model. No active exploitation has been confirmed (not in CISA KEV), and a patch is available in v2.6.1.

SSRF Microsoft Docker
NVD GitHub
EPSS 0% CVSS 5.0
MEDIUM PATCH This Month

Helm credential exfiltration in Rancher Fleet allows an attacker with git push access to a Fleet-monitored repository to redirect configured Helm BasicAuth credentials to an attacker-controlled server by manipulating the `helm.repo` field inside a committed `fleet.yaml`. Affected deployments are those where `GitRepo` resources carry `helmSecretName` or `helmSecretNameForPaths` but lack a `helmRepoURLRegex` allowlist - the default state for most pre-patch installations across the v0.12, v0.13, v0.14, and v0.15 release lines. No public exploit code has been identified and the vulnerability is absent from the CISA KEV catalog, but the low attack complexity and clear credential-theft path make this a meaningful supply-chain risk for organizations relying on private Helm repositories within Rancher-managed multi-cluster environments.

SSRF
NVD GitHub VulDB
CVSS 7.4
HIGH POC PATCH This Week

Server-Side Request Forgery in auth-fetch-mcp v3.0.1 lets an attacker who controls the url argument of the auth_fetch or download_media MCP tools reach loopback and private-range services that the built-in assertSafeUrl() guard is supposed to block. The bypass works by encoding the target as an IPv4-mapped IPv6 literal (e.g. http://[::ffff:127.0.0.1]:PORT/), which Node's WHATWG URL parser normalizes to ::ffff:7f00:1 so the private-IP check falls through. A detailed, reproduced proof-of-concept exists (publicly available exploit code exists); there is no CISA KEV listing and no vendor-released patch identified at time of analysis. CVSS 3.1 is 7.4 (High); EPSS was not provided.

Node.js SSRF Docker +1
NVD GitHub
CVSS 4.3
MEDIUM PATCH This Month

SSRF policy bypass in jshookmcp 0.3.1 allows an authenticated MCP client with network domain access to probe internal RFC 1918 and reserved addresses that are explicitly blocked by all other network tools on the same server. The `network_icmp_probe` and `network_traceroute` handlers call `resolveHostname` directly without invoking the central `resolveAuthorizedTransportTarget` guard, creating an inconsistent enforcement boundary. No CISA KEV listing exists, but proof-of-concept test code demonstrating the bypass via the `handleCallTool` dispatch path is included in the GitHub advisory (GHSA-c5r6-m4mr-8q5j), confirming exploitability without external traffic.

SSRF Microsoft Node.js +2
NVD GitHub
EPSS 0% CVSS 7.8
HIGH This Week

Server-side request forgery in NVIDIA Megatron Bridge for Linux allows an attacker to coerce the software into issuing attacker-controlled requests, potentially leading to disclosure of sensitive information. The flaw (CWE-918) was reported by NVIDIA itself and carries a vendor CVSS 3.1 score of 7.8; notably the vector is scored as local with required user interaction (AV:L/UI:R) rather than a classic remote SSRF, which security teams should reconcile against the SSRF classification. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Nvidia SSRF Information Disclosure +1
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Server-side request forgery in Open WebUI before 0.6.27 enables authenticated users to bypass SSRF protections in the web retrieval endpoint by supplying URLs that trigger server-side HTTP redirects to internal network resources. The /api/v1/retrieval/process/web endpoint follows Location redirect headers without revalidating the destination against SSRF blocklists, exposing internal services and potentially instance secrets that could enable command execution. No public exploit code or active exploitation has been identified at time of analysis, but the authenticated escalation path to internal infrastructure warrants prompt patching.

SSRF Open Webui
NVD GitHub
EPSS 1% CVSS 9.2
CRITICAL PATCH Act Now

Arbitrary JavaScript execution in Crawl4AI's Docker API server (versions before 0.8.7) lets remote attackers submit code to the /execute_js endpoint, which runs it inside the server's Chromium browser context launched with --disable-web-security. Because the browser's same-origin and CORS protections are disabled, attacker-controlled JavaScript can pivot into server-side request forgery against internal services and metadata endpoints. No public exploit has been identified at time of analysis, and the CVSS 4.0 base score is 9.2 (critical), though the vector's high attack complexity and present attack requirements indicate exploitation is not fully trivial.

Code Injection SSRF Docker +2
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Server-side request forgery in IBM watsonx.data intelligence versions 5.2.0 through 5.3.0 enables authenticated attackers to coerce the server into issuing arbitrary outbound HTTP requests to attacker-controlled destinations. The CVSS vector (PR:L) confirms exploitation requires a valid account, but no elevated privileges are needed beyond basic authentication. Primary impact is internal network enumeration and potential pivoting to services that trust the watsonx.data host, rather than direct data exfiltration. No public exploit code or CISA KEV listing has been identified at time of analysis.

SSRF IBM Watsonx Data Intelligence
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Server-side request forgery in IBM WebSphere Application Server Liberty (17.0.0.3 through 26.0.0.7) lets remote, unauthenticated attackers coerce the server into issuing crafted requests to internal or external systems when the optional apiDiscovery-1.0 feature is enabled. The CVSS 3.1 base score is 9.8 (AV:N/AC:L/PR:N/UI:N), reflecting network-reachable, no-privilege exploitation, though no public exploit is identified at time of analysis and EPSS is low at 0.19% (8th percentile). CISA SSVC scores exploitation as none and non-automatable, indicating no observed weaponization yet.

SSRF IBM Websphere Application Server
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

Server-side request forgery in IBM WebSphere Application Server Liberty (17.0.0.3 through 26.0.0.7) lets remote unauthenticated attackers coerce the server into making arbitrary outbound requests when the adminCenter-1.0 feature is enabled. Reported by IBM PSIRT with a CVSS 3.1 base score of 9.8, the flaw carries no public exploit identified at time of analysis; EPSS is low at 0.21% (12th percentile) and CISA SSVC records exploitation status as none. The adminCenter-1.0 administrative console feature is the specific attack surface, so exposure is limited to Liberty instances that enable it.

SSRF IBM Websphere Application Server
NVD VulDB
EPSS 0% CVSS 8.2
HIGH This Week

Server-Side Request Forgery in IBM Langflow OSS 1.0.0 through 1.9.6 lets an attacker coerce the application into making arbitrary HTTP requests via the legacy RSSReaderComponent (rss.py) and the SearXNG component (searxng.py), which fetch user-controlled URLs without validation. These two components bypass the SSRF protections that were added in version 1.9.3, allowing reach into internal resources such as AWS/Azure/GCP instance metadata (IMDS) to steal IAM credentials and enumerate internal networks. The flaw is reachable directly by an authenticated user and indirectly through prompt injection in agentic workflows because the components are exposed with tool_mode=True; no public exploit identified at time of analysis.

SSRF IBM Microsoft +1
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Server-Side Request Forgery in IBM Langflow OSS 1.0.0 through 1.9.3 allows a low-privileged authenticated user to coerce the server into making attacker-controlled internal requests by abusing the URL data-source component, where a Time-of-Check/Time-of-Use race condition lets a hostname resolve to a safe address during validation and a private/internal address at fetch time (classic DNS rebinding). Exploitation is rated CVSS 7.1 with a scope change, reflecting that the server can be made to reach internal services beyond its own trust boundary; no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

SSRF IBM Langflow
NVD VulDB
EPSS 0% CVSS 8.5
HIGH This Week

Server-Side Request Forgery in IBM Langflow OSS 1.0.0 through 1.9.3 lets an authenticated flow-author bypass the API Request component's SSRF protections by toggling the follow_redirects parameter and pointing it at a benign public URL that redirects to internal or localhost targets. Because only the initial URL is validated and redirect destinations are not re-checked, attackers can pivot to cloud metadata services, localhost endpoints, and private-network HTTP services to exfiltrate credentials, tokens, and admin-panel data. No public exploit identified at time of analysis; risk is driven by the CVSS 8.5 rating and the high value of cloud-metadata SSRF targets rather than confirmed in-the-wild use.

SSRF IBM Langflow
NVD
EPSS 3% CVSS 10.0
CRITICAL PATCH Act Now

Remote code execution in IBM WebSphere eXtreme Scale 8.6.1.0 through 8.6.1.6 arises from roughly 50 generated CORBA stub classes in the shipped ogclient.jar that invoke ORB.string_to_object() on an attacker-controlled IOR string during Java deserialization, converting any unfiltered ObjectInputStream sink in the surrounding WebSphere Application Server into outbound IIOP server-side request forgery. When chained with the IBM ORB getUserException class-instantiation flaw (tracked as WAS-26), that SSRF escalates to code execution on the calling JVM. CVSS is 10.0 (scope-changed, full CIA impact); EPSS is 3.01% (86th percentile) and there is no public exploit identified at time of analysis.

Deserialization SSRF RCE +3
NVD VulDB
CVSS 8.7
HIGH PATCH This Week

Server-Side Request Forgery in Sigstore Fulcio (before v1.8.6) lets a compromised or malicious OIDC issuer redirect the OIDC Discovery client's metadata fetches to attacker-chosen hosts, enabling blind SSRF against internal systems, poisoning of the verifier cache via a substituted jwks_uri so forged signatures validate, and leakage of the in-cluster Kubernetes ServiceAccount token to third-party hosts. Unauthenticated remote attackers who control a configured (or wildcard-matched) issuer can chain these into trust compromise of the certificate authority. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

SSRF Kubernetes
NVD GitHub
EPSS 0% CVSS 8.6
HIGH This Week

Server-Side Request Forgery in Adobe ColdFusion 2025.9, 2023.20 and all earlier releases lets a remote, unauthenticated attacker coerce the server into issuing crafted requests, bypassing intended security controls to gain unauthorized read access to otherwise protected resources. Because the CVSS scope is changed (S:C) and confidentiality impact is High, the attacker can reach internal systems or restricted endpoints beyond ColdFusion's own boundary without any user interaction. No public exploit identified at time of analysis, and this CVE is not on CISA KEV.

SSRF Coldfusion
NVD VulDB
EPSS 0% CVSS 4.4
MEDIUM This Month

Server-Side Request Forgery (SSRF) in Foreman's HTTP proxy controller within Red Hat Satellite 6 allows high-privileged attackers to redirect internal HTTP requests to cloud metadata endpoints on AWS, GCP, and Azure environments. By manipulating HTTP parameters in the http_proxies_controller or http_proxy configuration files, an attacker can cause the Foreman server to issue forged requests to internal metadata services (e.g., AWS IMDS at 169.254.169.254), potentially harvesting IAM role credentials, access tokens, and environment configuration secrets. No public exploit code has been identified at time of analysis, and no CISA KEV listing exists, but the confidentiality impact is high given the value of cloud metadata credentials.

SSRF Microsoft Red Hat Satellite 6 +1
NVD VulDB
EPSS 0% CVSS 8.3
HIGH This Week

SQL injection in SigNoz observability platform (versions through 0.130.1) lets authenticated, low-privileged users inject arbitrary ClickHouse queries through the unsanitized rule ID path parameter of the alert-history endpoints. By URL-encoding quote characters that break out of the interpolated rule ID, an attacker can read every stored trace, log, and metric, and can abuse ClickHouse's url() table function to pivot into server-side request forgery against internal services. This is CWE-89 with a documented SSRF secondary impact; no public exploit identified at time of analysis and it is not listed in CISA KEV.

SSRF SQLi
NVD GitHub VulDB
EPSS 0% CVSS 6.3
MEDIUM This Month

Server-side request forgery in Pinpoint APM through version 3.1.0 allows authenticated users with low privileges to register internal or cloud-metadata URLs as alarm webhook targets due to missing URL validation on the webhook registration endpoint. By deliberately triggering alarm threshold breaches, an attacker can coerce the Pinpoint server to issue outbound POST requests to internal hosts, cloud metadata services (such as AWS IMDS at 169.254.169.254), or other non-routable internal infrastructure. No public exploit code or CISA KEV listing has been identified at time of analysis, though the CVSS 4.0 subsequent-system confidentiality impact is rated High, reflecting the potential to enumerate internal services or harvest cloud credentials.

Authentication Bypass SSRF
NVD GitHub VulDB
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Server-side request forgery in Nitter's /video media proxy endpoint lets unauthenticated remote attackers coerce the server into fetching arbitrary URLs and returning their HTTP responses, including AWS/GCP cloud metadata endpoints and internal-only network resources. The flaw stems from two compounding errors: the proxy never validates that target URLs belong to Twitter/X domains, and it ships with a hardcoded default HMAC signing key, so an attacker can locally compute the valid HMAC signature required for any URL of their choosing. No public exploit has been identified at time of analysis, but the technical details and the fixing commit are public.

SSRF
NVD GitHub
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Server-side request forgery in Snowflake CLI versions 3.6.0 through 3.18.x lets an attacker coerce a victim's CLI session into fetching attacker-chosen remote URLs and then retrieving and executing remote SQL in that session's context. The flaw lives in the SQL statement reader's !source/!load directives, which resolve remote references at runtime without restricting the request destination, so a victim who processes attacker-supplied SQL can be made to reach internal/non-public network locations. Despite a 9.6 CVSS, real-world urgency is tempered by required user interaction and a low EPSS (0.09%); there is no public exploit identified at time of analysis and it is not in CISA KEV.

SSRF Snowflake Cli
NVD VulDB
EPSS 0% CVSS 2.1
LOW POC PATCH Monitor

Server-side request forgery in GitBucket up to version 4.46.1 allows authenticated users to coerce the application server into issuing HTTP requests to arbitrary internal or private network hosts by supplying a crafted URL to the repository creation "clone from existing repository" feature. The flaw resides in `Git.cloneRepository.setURI()` within `RepositoryCreationService.scala`, where user-supplied URL input reaches JGit without validation against private address ranges. A public exploit exists (GitHub issue #4044), though no CISA KEV listing is present - no confirmed active exploitation at time of analysis. An upstream patch is available as commit 487a9b980f56aa73b6a044b1e86a92eed5043215 via PR #4056.

SSRF Gitbucket
NVD VulDB GitHub
CVSS 3.0
LOW POC PATCH Monitor

DNS rebinding SSRF in Aimeos Pagible CMS's administrative proxy route (`cmsproxy`) exploits a TOCTOU race condition between URL validation and HTTP request execution to bypass private-IP blocklists. Authenticated attackers with basic CMS access who control a TTL=0 DNS server can cause the application to fetch cloud metadata endpoints such as the AWS Instance Metadata Service (169.254.169.254), potentially returning IAM credentials to the attacker. A detailed, step-by-step proof-of-concept is publicly available via GitHub Advisory GHSA-mmj8-wcvw-6789; no active exploitation is confirmed in CISA KEV at time of analysis.

SSRF
NVD GitHub
EPSS 0% CVSS 7.2
HIGH PATCH This Week

{tag}) whose value is derived from untrusted log data, an attacker who can influence that data forces the Fluentd node to call arbitrary internal services. There is no public exploit identified at time of analysis, but the upstream fix is shipped in v1.19.3 (PR #5394 adds strict host validation for dynamic endpoints).

Authentication Bypass SSRF
NVD GitHub VulDB
EPSS 0% CVSS 5.0
MEDIUM PATCH This Month

Server-Side Request Forgery in Canonical LXD's image import endpoint allows authenticated users holding the can_create_images entitlement to direct the LXD daemon to make arbitrary outbound HTTP connections, including to loopback addresses, RFC1918 private ranges, and cloud instance metadata services such as 169.254.169.254. Affected versions span 4.12 through 6.9. An attacker can leverage error-based responses to enumerate internal TCP ports and fingerprint internal HTTP services from the daemon's privileged network position, enabling lateral reconnaissance in multi-tenant or cloud-hosted environments. No public exploit code has been identified at time of analysis, and CISA has not listed this in KEV.

SSRF Canonical Lxd
NVD GitHub VulDB
EPSS 0% CVSS 8.5
HIGH PATCH This Week

Server-side request forgery in the AutoGPT Platform (versions prior to 0.6.52) lets an authenticated user abuse the SendWebRequestBlock to reach internal network services that the private-IP filter is supposed to protect. The flaw stems from _is_ip_blocked() in backend/backend/util/request.py failing to normalize IPv4-mapped IPv6 addresses and omitting RFC 6598 CGNAT space (100.64.0.0/10), so a hostname resolving to a mapped address passes validation and the request hits the embedded internal IPv4 endpoint. No public exploit identified at time of analysis; this affects all AutoGPT Platform deployments and is fixed in 0.6.52.

SSRF Autogpt
NVD GitHub
EPSS 0% CVSS 4.9
MEDIUM This Month

Server-Side Request Forgery in the Kirki WordPress customizer framework plugin (versions up to and including 6.0.11) allows authenticated subscriber-level users to induce the server to issue arbitrary HTTP requests to internal or external network destinations. The Scope:Changed CVSS designation confirms the exploit can pivot beyond the WordPress application itself to reach internal infrastructure. No public exploit code or active exploitation via CISA KEV has been identified at time of analysis, but the subscriber-level privilege requirement lowers the bar significantly for sites permitting open user registration.

SSRF
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Server-Side Request Forgery in the utm.codes WordPress plugin (versions ≤ 1.9.0) enables authenticated subscribers to induce the web server to issue arbitrary outbound HTTP requests, with the vulnerability scope extending beyond the plugin itself to potentially reachable internal network resources. The CVSS Scope:Changed rating reflects that a successful exploit can pivot the server's network identity to probe internal services, cloud metadata endpoints, or intranet hosts inaccessible to the attacker directly. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis; however, the low attack complexity and subscriber-level privilege bar make this exploitable by any registered WordPress user on affected installations.

SSRF
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Server-side request forgery in the Mattermost Agents plugin MCP server (stdio mode) allows a low-privileged local attacker to make the server fetch arbitrary internal URLs submitted as file attachment references in post creation requests, enabling exfiltration of data from RFC 1918-addressed services on the internal network. Affected are Mattermost deployments running versions 10.11.x ≤ 10.11.18, 11.5.x ≤ 11.5.6, and 11.6.x ≤ 11.6.3 with the Agents plugin's MCP server active in stdio mode. No public exploit code or CISA KEV listing is present in the available data; exploitation is constrained to attackers who already have local access to the stdio MCP interface.

SSRF Mattermost Mattermost Server
NVD
EPSS 0% CVSS 2.1
LOW Monitor

Server-Side Request Forgery in HTMLy 3.1.1 allows authenticated administrators to coerce the server into issuing arbitrary outbound HTTP or local filesystem requests via the RSS feed import feature. The vulnerable `get_feed()` function at `system/admin/admin.php` lines 1549-1551 passes the admin-supplied URL directly to PHP's `file_get_contents()` with no scheme filtering or allowlist validation, enabling access to cloud metadata endpoints (e.g., 169.254.169.254), internal network services, or local files via `file://` wrappers. No public exploit or CISA KEV listing exists at time of analysis; the CVSS 4.0 score of 2.1 reflects the high privilege prerequisite and limited confidentiality impact.

SSRF PHP Htmly
NVD GitHub
EPSS 0% CVSS 10.0
CRITICAL PATCH Act Now

Server-side request forgery in WSO2 API Manager lets unauthenticated remote attackers coerce the gateway into making server-initiated requests to attacker-chosen destinations by injecting crafted WS-Addressing headers into the message flow. Because the API Manager typically sits at the network edge with reachability into internal systems, this allows pivoting to otherwise unreachable internal resources and services. The vendor rates it CVSS 10.0; it is not in CISA KEV and no public exploit identified at time of analysis, with a low EPSS of 0.20% (10th percentile).

Authentication Bypass SSRF Wso2 Api Manager
NVD
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

Server-side JavaScript execution and outbound HTTP request capabilities in Rapid7 InsightConnect Markdown Plugin versions 3.1.4 and earlier allow remote attackers to execute arbitrary scripts and make unauthorized HTTP requests through malicious content embedded in Markdown input to the markdown_to_pdf action. The PDF rendering engine lacks sufficient restrictions on script execution and network access. Patched version 4.0.0 is available from the vendor.

XSS SSRF Insightconnect Markdown Plugin
NVD GitHub
EPSS 0% CVSS 6.4
MEDIUM This Month

Server-side request forgery in KubeVirt's virt-api port-forward handler allows authenticated Kubernetes users with kubevirt.io:edit permissions to establish arbitrary bidirectional TCP tunnels from virt-api's trusted cluster-internal network position to any routable destination, bypassing NetworkPolicy isolation. The vulnerability arises because virt-api reads the target IP from vmi.Status.Interfaces[0].IP - a value supplied by the QEMU guest agent inside the VM and thus fully controllable by the VM owner when non-masquerade network bindings (bridge or secondary-only) are in use - and passes it directly to net.Dial() without validation. No public exploit or active exploitation has been identified at time of analysis; EPSS data was not available in the provided intelligence.

SSRF Kubevirt Openshift Virtualization
NVD
CVSS 9.9
CRITICAL POC PATCH Act Now

Privilege escalation to AWS IAM and PKI compromise in Netflix Lemur 1.9.0 (and earlier) lets any SSO-authenticated, low-privilege user chain an ACME acme_url SSRF with a creator-equality IDOR to steal the worker's AWS STS credentials and retain permanent access to issued TLS private keys. Because Lemur auto-provisions new SSO identities as active=True, any holder of a trusted federated identity can reach the vulnerable authority-creation and key-fetch endpoints. A detailed, fully reproduced proof-of-concept (Docker lab plus asciinema recording) exists publicly, though there is no public exploit identified as being used in active attacks and the issue is fixed in 1.9.2.

Python Authentication Bypass SSRF +2
NVD GitHub
CVSS 4.8
MEDIUM POC PATCH This Month

JWT algorithm confusion in Netflix Lemur 1.9.0 allows an attacker to control which signing algorithm the server trusts by supplying an arbitrary alg value in the unverified token header, which is passed directly to pyjwt.decode() instead of a server-pinned allowlist. On current PyJWT 2.x deployments the standalone impact is limited to audit-log blinding and a durable algorithm-downgrade primitive; full account takeover requires chaining with a separate LEMUR_TOKEN_SECRET disclosure vulnerability, after which a forged HS256 admin JWT yields HTTP 200 with role=admin. A public proof-of-concept walkthrough exists (asciinema); no active exploitation is confirmed in CISA KEV.

SSRF Jwt Attack Python +1
NVD GitHub
CVSS 6.3
MEDIUM POC PATCH This Month

Server-Side Request Forgery in Netflix Lemur's certificate verification pipeline allows an authenticated operator-role user to force the Lemur host to issue outbound HTTP requests to arbitrary internal destinations by uploading a crafted certificate whose CRL Distribution Point or OCSP responder extensions point to RFC1918 addresses, link-local endpoints (169.254.169.254), internal Kubernetes API servers, or loopback interfaces. Both `crl_verify` and `ocsp_verify` in `lemur/certificates/verify.py` pass attacker-controlled URLs directly to network sinks with no destination allow-list, scheme restriction beyond LDAP rejection, or private-address filtering. No public exploit confirmed in CISA KEV, but detailed proof-of-concept reproduction steps are published in the GitHub Security Advisory GHSA-54vg-pfh7-jq95; vendor-released patch v1.9.2 is available.

OpenSSL SSRF Python +1
NVD GitHub
EPSS 0% CVSS 7.4
HIGH This Week

Server-side request forgery in Red Hat Build of Apicurio Registry 3 allows a Developer-role user to coerce the registry server into issuing HTTP requests to arbitrary internal URLs. The flaw stems from the WSDLReaderAccessor instantiating a wsdl4j WSDLReader with the javax.wsdl.importDocuments feature left enabled, so a crafted WSDL artifact with attacker-controlled import locations is fetched when content validation runs at FULL strictness. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV; CVSS is 7.4 (scope-changed) and exploitation requires authenticated low-privilege access plus a non-default validation setting.

SSRF Red Hat Build Of Apicurio Registry 3
NVD
EPSS 0% CVSS 8.5
HIGH This Week

Server-side request forgery and denial of service in Red Hat Build of Apicurio Registry 3 stem from unsafe XML parsing in the ContentTypeUtil.isParsableXml() method, which builds a SAXParserFactory without secure processing or external-entity restrictions (CWE-611, XXE). An attacker with artifact-write permission - or any unauthenticated client when the registry runs in its default configuration - can upload a crafted XML artifact whose external DTD/entity references force the server to fetch attacker-chosen URLs (blind SSRF into internal networks) or expand nested entities for resource-exhaustion DoS. CVSS is 8.5 (scope-changed, high availability impact); no public exploit identified at time of analysis.

XXE SSRF Denial Of Service +1
NVD
EPSS 0% CVSS 8.3
HIGH Act Now

Server-side request forgery in the Open Health Imaging Foundation (OHIF) DICOM Web Viewer Framework lets an attacker exfiltrate an authenticated user's OIDC Bearer token by abusing the default-enabled DICOMWebProxy and DICOMJSON data sources, which fetch an attacker-supplied URL without validation while OHIF's global auth service silently attaches the victim's token to the outbound request. Any authenticated user lured into loading a malicious viewer link sends their live credential to an attacker-controlled host, enabling identity takeover against the PACS or backend. No public exploit identified at time of analysis and the issue is not on CISA KEV, but the high-impact token leakage and default-configuration exposure make it a meaningful credential-theft risk.

SSRF Dicom Web Viewer Framework
NVD GitHub
CVSS 8.8
HIGH PATCH This Week

Privilege escalation via broken authorization in Netflix Lemur (versions <= 1.9.0) lets any authenticated user - including the shipped lowest-privilege `read-only` role - perform admin-only certificate-management actions. Because the `StrictRolePermission` and `AuthorityCreatorPermission` classes were instantiated with an empty Need set when their config flags were left at the default `False`, Flask-Principal's `allows()` returns True for every identity, removing the only role gate in front of CA creation, certificate upload, notification (SSRF sink) management, and domain registry edits. No public exploit identified at time of analysis and the issue is not in CISA KEV, but exploitation requires only a single low-privilege credential, making it a direct pivot to control of the PKI issuance plane.

Authentication Bypass SSRF Python
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM POC PATCH This Month

Server-side request forgery in MaxKB before 2.10.0 allows any authenticated user holding the default workspace USER role to coerce the application server into making arbitrary HTTP requests to attacker-controlled destinations via the `downloadCallbackUrl` and `download_url` parameters on ToolSerializer endpoints. An attacker can pivot through the MaxKB host to probe and extract data from internal network services - cloud metadata APIs, internal databases, adjacent microservices - that would otherwise be inaccessible from outside the network perimeter. A public proof-of-concept exists at GitHub issue #6272; this is not confirmed actively exploited (not in CISA KEV).

SSRF Maxkb
NVD GitHub
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Server-side request forgery in NewsBlur's add_url endpoint allows any authenticated user to direct the server to issue arbitrary HTTP requests to private, loopback, or link-local addresses, including cloud instance metadata services. All NewsBlur deployments prior to version 14.5.0 (CPE: cpe:2.3:a:samuelclay:newsblur) are affected. An attacker with a valid account can supply a URL resolving to 169.254.169.254 or other internal addresses, enabling exfiltration of cloud provider IAM credentials and internal network reconnaissance. No public exploit identified at time of analysis, though patch commits are publicly available on GitHub and document the exact missing validation check.

SSRF Information Disclosure Newsblur
NVD GitHub
EPSS 0% CVSS 6.3
MEDIUM POC PATCH This Month

Server-side request forgery in Huly Platform's /import endpoint allows authenticated workspace users to coerce the front pod into making arbitrary HTTP requests to internal infrastructure. Any valid workspace account can supply attacker-controlled URLs; the server fetches them, leaking internal service responses - including cloud metadata credentials - back to the attacker. A publicly available exploit exists per the GitHub issue tracker, though active exploitation has not been confirmed by CISA KEV. The CVSS 4.0 vector assigns SC:H, flagging high confidentiality impact on subsequent (internal) systems as the primary risk.

SSRF Platform
NVD GitHub
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Server-side request forgery in ToolJet's RestAPI data source (versions prior to 3.20.178-lts) allows a low-privileged platform user to reach internal network endpoints because the private-IP filter validates only the hostname string rather than the resolved IP. By supplying a DNS name such as 169.254.169.254.nip.io, an attacker bypasses the filter and forces the server to query the Azure IMDS link-local endpoint, enabling theft of managed-identity tokens for the backing AKS production cluster. No public exploit identified at time of analysis and the issue is not in CISA KEV, but the cloud-credential impact makes it a high-value SSRF.

SSRF Microsoft Tooljet
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Server-side request forgery in LibreChat before 0.8.4-rc1 lets any authenticated user point a custom OpenAI-compatible endpoint baseURL at internal network addresses, because the URL is used to build HTTP requests with no SSRF validation whatsoever - no private-IP blocking, no scheme restriction, and no DNS pinning. By abusing the legitimate custom-endpoint feature, a logged-in user can coerce the server into reaching internal-only services and returning their responses, with a CVSS 3.1 score of 7.7 driven by a changed scope and high confidentiality impact. There is no public exploit identified at time of analysis and the issue is not in CISA KEV, but the trivial low-complexity nature makes it readily exploitable once an account exists.

SSRF Librechat
NVD GitHub
EPSS 0% CVSS 2.6
LOW PATCH Monitor

NONET network restriction bypass in Nokogiri's JRuby implementation permits external resource fetching during XML Schema parsing despite the default network-blocking parse option being set, exposing applications to potential SSRF and XXE attacks. Only JRuby-based deployments are affected - CRuby users are fully protected because libxml2's xmlNoNetExternalEntityLoader enforces NONET at the I/O layer independently of Nokogiri's option handling. Rated low severity by maintainers (CVSS 2.6); vendor-released patch is available in version 1.19.4, and no public exploit has been identified at time of analysis.

XXE SSRF Nokogiri
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW PATCH Monitor

HTML injection into server-side PDF rendering contexts in Pretix enables low-privileged authenticated users to embed external image references that trigger outbound HTTP requests from the rendering engine, leaking the server's network identity and creating an SSRF vector against internal network services. The CVSS 4.0 score of 2.1 reflects genuinely low severity - exploitation requires authentication, specific content reaching PDF rendering paths, and passive user interaction to trigger PDF generation. No public exploit code exists and this vulnerability is absent from CISA KEV.

XSS SSRF Pretix
NVD VulDB
EPSS 0% CVSS 9.9
CRITICAL PATCH Act Now

Reverse-proxy takeover in Appsmith versions prior to 2.1 lets an authenticated low-privileged user abuse server-side request forgery to reach the bundled Caddy admin API, which ships with no authentication and listens on 0.0.0.0:2019 inside the container. By forcing the Appsmith server to issue a POST /load to that internal endpoint, the attacker rewrites the live Caddy configuration and seizes control of the reverse proxy that fronts the application. No public exploit identified at time of analysis and the issue is not in CISA KEV, but the vendor-confirmed CWE-749 exposure carries a 9.9 CVSS rating.

SSRF Docker Appsmith
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Server-side request forgery in Appsmith prior to version 2.1 allows authenticated users to reach loopback-bound services inside the deployment container by exploiting a split code path in host validation logic. The WebClientUtils component used by REST API and GraphQL datasource plugins enforces only an exact-match string denylist, while the comprehensive address-class check covering loopback, any-local, link-local, and fc00::/7 IPv6 ranges exists solely on the SMTP plugin code path - leaving the HTTP path bypassable. No public exploit code has been identified at time of analysis, and this CVE does not appear in the CISA KEV catalog.

SSRF Appsmith
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Server-Side Request Forgery in Mastodon before 4.5.10, 4.4.17, and 4.3.23 lets attackers coerce the server into issuing HTTP requests to loopback interfaces, reaching private resources and internal services that should be unreachable from the public internet. The flaw stems from an incomplete IP-range blocklist that omitted a range capable of resolving to local addresses. No public exploit identified at time of analysis; the upstream advisory (GHSA-crr4-7rm4-8gpw) accompanies the fixed releases.

SSRF Mastodon
NVD GitHub
Prev Page 2 of 32 Next

Quick Facts

Typical Severity
HIGH
Category
web
Total CVEs
2848

Related CWEs

MITRE ATT&CK

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy