Skip to main content

Server-Side Request Forgery

web HIGH

Server-Side Request Forgery exploits applications that fetch remote resources based on user-supplied URLs.

How It Works

Server-Side Request Forgery exploits applications that fetch remote resources based on user-supplied URLs. When a web server accepts a URL parameter to retrieve external content—for example, to proxy images, validate webhooks, or import data—an attacker can manipulate that parameter to make the server send requests to unintended destinations. The critical issue is that these requests originate from the server itself, bypassing firewalls and network controls that would block direct external access.

Attacks come in several forms. Direct SSRF gives the attacker full control over the destination URL, allowing them to target internal services like http://localhost:8080/admin or cloud metadata endpoints at http://169.254.169.254/latest/meta-data/. Blind SSRF occurs when the application makes the request but doesn't return the response to the attacker—they must rely on timing differences or out-of-band techniques to confirm success. Partial SSRF restricts the attacker to modifying only part of the URL, such as the hostname or path, requiring more creative exploitation.

The typical attack flow starts with identifying URL parameters that trigger server-side requests. The attacker then probes for internal services by injecting internal IP addresses or localhost references. Common targets include administrative interfaces, internal REST APIs, Redis or Memcached instances, and especially cloud metadata services that expose IAM credentials. Attackers often employ bypass techniques like encoding IPs in decimal format (2130706433 for 127.0.0.1), exploiting URL parser discrepancies between validation and execution layers, or chaining with open redirects to evade basic filters.

Impact

  • Access to internal services that should be network-isolated—admin panels, monitoring dashboards, configuration endpoints
  • Cloud credential theft via metadata APIs, particularly AWS IAM role credentials exposed at 169.254.169.254
  • Reading local files through file:// protocol support, exposing configuration files and source code
  • Network reconnaissance to map internal infrastructure and identify additional attack targets
  • Remote code execution on back-end systems like Redis or Elasticsearch that accept commands over HTTP
  • Pivoting deeper into internal networks by using the compromised server as a proxy for further attacks

Real-World Examples

Capital One suffered a massive breach in 2019 when an attacker exploited SSRF in a web application firewall to query AWS metadata services, stealing credentials that granted access to over 100 million customer records. The vulnerability allowed requests to the internal metadata endpoint that should have been unreachable.

Shopify's infrastructure exposed internal Google Cloud metadata in 2020 through an image proxy feature. Security researchers demonstrated they could retrieve service account credentials by tricking the proxy into fetching from the metadata API, potentially compromising the entire GCP environment.

Numerous CVEs in enterprise products highlight SSRF in common features: webhook validators in GitLab, PDF generators that fetch remote images, and document conversion services. These typically manifest when URL validation assumes all requests will target external internet resources, failing to anticipate internal network abuse.

Mitigation

  • Allowlist approved destination domains rather than trying to blocklist dangerous ones—only permit necessary external services
  • Disable unnecessary URL schemes entirely (file://, gopher://, dict://)—restrict to https:// only where possible
  • Network segmentation to prevent application servers from reaching internal infrastructure—use separate VLANs or VPCs
  • Deploy cloud metadata protections like AWS IMDSv2 requiring session tokens, making metadata unavailable to simple HTTP requests
  • Validate and parse URLs consistently using a single library, then verify resolved IP addresses aren't private ranges
  • Remove response bodies from errors to prevent information disclosure in blind SSRF scenarios

Recent CVEs (2848)

EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Server-side request forgery in Ghost CMS versions 6.19.4 through 6.21.1 allows authenticated staff users to pivot the Ghost server into making arbitrary outbound HTTP requests, including to internal network hosts and cloud instance metadata endpoints. The vulnerable code path is Ghost's post re-rendering pipeline, which fetches image dimensions from URLs stored in image cards without validating those URLs against a trusted host allowlist. No public exploit has been identified at time of analysis, and a vendor-released patch is available in 6.21.1.

Node.js SSRF Ghost
NVD GitHub
EPSS 0% CVSS 7.3
HIGH PATCH This Week

Full unauthenticated administrative takeover of Payara Server Full (4.x through 7.2026.x, including 6.2024.x and 6.2025.x) is achievable by chaining a Server-Side Request Forgery in the Admin GUI's DownloadServlet with the absence of CSRF protection (CWE-352). An attacker who lures a logged-in administrator into a crafted request exfiltrates the admin REST session token (gfresttoken) to an attacker-controlled host, then replays it for full domain control and arbitrary code execution via WAR deployment. The CVSS 4.0 vector carries E:P (proof-of-concept maturity), so publicly available exploit code exists; there is no CISA KEV listing and no EPSS score in the provided data.

CSRF SSRF RCE +1
NVD
EPSS 0% CVSS 7.1
HIGH This Week

XML external entity (XXE) injection in the Jenkins Assembla Plugin version 1.4 and earlier lets an attacker who can control the HTTP responses of the configured Assembla server read sensitive files and secrets from the Jenkins controller and pivot into internal services via server-side request forgery. Mapped to CWE-918 (SSRF) with a CVSS 3.1 base score of 7.1 (high), there is no public exploit identified at time of analysis and CISA SSVC rates exploitation as 'none' with only partial technical impact. Exploitation requires the attacker to influence what the Assembla endpoint returns, so it is a targeted rather than mass-exploitable condition.

XXE SSRF Jenkins +1
NVD VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Server-Side Request Forgery in Pentestify 1.0.0's PDF generation endpoint enables remote attackers (PR:N per CVSS 4.0 vector) to coerce the server into issuing outbound HTTP requests to arbitrary internal or external targets, including cloud metadata services such as the AWS Instance Metadata Service at 169.254.169.254, by supplying a crafted HTTP Host header. The rendered PDF is returned to the caller, potentially leaking internal service responses or IAM role credentials. No public exploit code has been identified and no CISA KEV listing exists at time of analysis; the vulnerability is patched in version 1.1.0.

SSRF
NVD GitHub
EPSS 0% CVSS 7.2
HIGH This Week

Server-side request forgery in the Kargo Takip WordPress plugin (versions through 1.2) allows unauthenticated remote attackers to coerce the site into issuing arbitrary HTTP requests via the 'api_url' parameter and to exfiltrate data from internal services. Because the plugin echoes the value of any 'auth' key from the JSON response back to the attacker, it enables direct retrieval of sensitive responses such as cloud instance metadata credentials. No public exploit identified at time of analysis, and the plugin is not listed in CISA KEV.

SSRF WordPress Kargo Takip
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Server-Side Request Forgery in the WP Meta SEO WordPress plugin (all versions through 4.5.18) enables authenticated contributors to coerce the web server into issuing arbitrary outbound HTTP requests via the `new_link` parameter, with the response status code reflected back through the AJAX JSON response as `status_code`. This status-code oracle allows methodical enumeration of internal network hosts and cloud metadata services (e.g., AWS IMDSv1 at 169.254.169.254), making it particularly dangerous in cloud-hosted WordPress deployments. No public exploit identified at time of analysis, though the vulnerability is confirmed by Wordfence with direct source code references and the technique is well-understood.

SSRF Oracle WordPress +1
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Server-Side Request Forgery in the WordPress URL Preview plugin (all versions through 1.0) allows unauthenticated attackers to coerce the WordPress server into making arbitrary outbound HTTP requests via the 'url' parameter. The flaw, reported by Wordfence and tracked as CWE-918, enables querying or modifying data on internal services reachable from the WordPress host, including cloud metadata endpoints and internal admin panels. No public exploit identified at time of analysis, but the vulnerability is trivially exploitable given AV:N/AC:L/PR:N/UI:N.

SSRF WordPress Url Preview
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Eager DNS resolution during InetSocketAddress deserialization in jackson-databind (versions 2.0.0 through pre-fix releases across the 2.18, 2.21, and 3.x lines) allows any attacker who can supply untrusted JSON to an affected endpoint to force outbound DNS lookups for attacker-chosen hostnames at readValue() time - before application validation or connect logic can intervene. This DNS-based SSRF (CWE-918) enables internal resolver probing, network topology enumeration, and DNS out-of-band interaction signals against applications that deserialize untrusted JSON into types containing InetSocketAddress fields. No public exploit code and no CISA KEV listing have been identified at time of analysis; EPSS data was not available in the provided intelligence sources.

SSRF Deserialization Jackson Databind +1
NVD GitHub HeroDevs VulDB
CVSS 5.3
MEDIUM PATCH This Month

Unauthenticated remote action execution in motionEye (pip/motioneye < 0.44.0) exposes every camera action endpoint - snapshots, recording start/stop, and administrator-configured shell scripts - to any attacker who can reach port 8765, due to a missing @BaseHandler.auth() decorator on ActionHandler.post(). Dynamically confirmed on v0.43.1 in a Docker lab environment; exploitation requires only a single HTTP POST with no credentials, headers, or user interaction. Beyond the CVSS 5.3 Medium rating, real-world impact extends to physical security bypass (PTZ, alarms, lighting controls) if action scripts are configured, and SSRF via remote camera triggering - no public exploit or CISA KEV listing is identified at time of analysis.

Docker Authentication Bypass Python +1
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Server-side request forgery in Gogs versions prior to 0.14.3 allows authenticated users to bypass the migration URL blocklist by submitting a public clone URL that HTTP-redirects to internal endpoints such as 127.0.0.1, causing git clone --mirror to fetch internal repositories and import their contents into an attacker-controlled repo. Affected installations leak source code and secrets from any HTTP-reachable internal Git endpoint, and the migration job doubles as an internal network scanner. No public exploit identified at time of analysis, though the advisory contains full reproduction steps.

SSRF
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Server-side request forgery in OpenStack Swift's proxy-server allows authenticated users to manipulate object servers into issuing outbound HTTP requests to attacker-specified hosts. All Swift deployments running version 2.0.0 or later across all maintained release trains are affected, including the 2025.1/epoxy, 2025.2/flamingo, 2026.1/gazpacho, and development 2026.2/hibiscus branches. No public exploit has been identified at time of analysis, but successful exploitation could expose internal infrastructure topology, metadata services, or other resources reachable from the object server tier.

SSRF Swift
NVD VulDB
EPSS 0% CVSS 6.0
MEDIUM PATCH This Month

Server-side request forgery in Flowise's Execute Flow node allows authenticated low-privilege users to coerce the server into issuing HTTP requests to arbitrary internal network addresses by supplying intranet URLs through the base URL configuration field. All flowise and flowise-components npm versions through 3.0.13 are affected due to the Execute Flow code path never invoking the secureFetch wrapper present in httpSecurity.ts. Publicly available exploit code exists in GHSA-9hrv-gvrv-6gf2, including a concrete POST request demonstrating server-side retrieval and echo of internal service responses; no CISA KEV listing indicates active mass exploitation at time of analysis.

SSRF Flowise
NVD GitHub VulDB
EPSS 1% CVSS 8.1
HIGH PATCH This Week

Local repository import and blind SSRF in Gogs versions prior to 0.14.3 allows authenticated users to bypass clone-address validation via the Mirror Settings feature. The SaveAddress path in repository Mirror Settings omitted the validation applied to New Migration, letting any authenticated user point a mirror at a local filesystem path or internal address. No public exploit identified at time of analysis beyond the reporter's PoC; not listed in CISA KEV.

SSRF
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Server-side request forgery in Budibase (@budibase/backend-core before 3.39.9) lets authenticated users with automation permissions bypass the SSRF blacklist via DNS rebinding, reaching loopback, RFC1918, and cloud metadata endpoints from the Budibase host. The outbound fetch helper validates a hostname's resolved IP against the blacklist but never pins that IP to the subsequent socket, so node-fetch performs a second DNS lookup that can resolve to an internal address. Because several automation steps return upstream response bodies into automation output, the result is a non-blind read primitive; publicly available exploit code (a rebinding PoC) exists, though EPSS is low (0.24%, 15th percentile) and it is not on CISA KEV.

Kubernetes SSRF
NVD GitHub VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Server-side request forgery in Gogs (self-hosted Git service) versions ≤ 0.14.2 lets a user who can configure a webhook reach internal-only network addresses by abusing HTTP redirect following. The original CVE-2022-1285 fix only blocked webhook URLs whose hostname resolves into local CIDRs, but the delivery client still chased 3xx redirects, so a webhook pointed at an attacker-controlled host that returns a 301 to http://169.254.169.254/ pivots into cloud metadata and other internal services. Publicly available exploit code exists (a working PoC against try.gogs is documented, dumping DigitalOcean droplet metadata); it is not listed in CISA KEV and no public EPSS figure is provided.

SSRF
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Server-Side Request Forgery (SSRF) in n8n's dynamic node parameters endpoint allows authenticated users with credential access to bypass the platform's Allowed HTTP Request Domains restriction, causing the n8n server to issue outbound HTTP requests carrying stored credentials to attacker-controlled or unauthorized hosts. All n8n deployments prior to version 2.20.0 are affected regardless of domain restriction configuration, as the restriction is not enforced on the POST /rest/dynamic-node-parameters/options endpoint. No public exploit code or CISA KEV listing has been identified at time of analysis, but the attack is low-complexity once authentication is obtained.

SSRF N8n
NVD GitHub VulDB
EPSS 0% CVSS 9.2
CRITICAL PATCH Act Now

Server-side request forgery in Crawl4AI before 0.8.7 allows unauthenticated remote attackers to coerce the server into fetching arbitrary internal URLs via the /crawl, /crawl/stream, /md, and /llm endpoints. The product's internal-address blocklist can be bypassed using IPv6-mapped IPv4 notation (e.g., ::ffff:169.254.169.254), exposing cloud metadata services and internal infrastructure. No public exploit identified at time of analysis, but the GHSA advisory and a VulnCheck write-up document the flaw in detail.

SSRF Crawl4ai
NVD GitHub VulDB
CVSS 5.3
MEDIUM PATCH This Month

Blind Server-Side Request Forgery in Paymenter's PayPal gateway module (versions < 1.5.0) allows remote unauthenticated attackers to coerce the application server into issuing arbitrary HTTP GET requests by supplying a malicious URL in the PAYPAL-CERT-URL HTTP header. The webhook endpoint at /extensions/paypal/webhook passes this header directly to PHP's file_get_contents() with no allowlist, domain validation, or signature pre-check, violating the security intent of PayPal's certificate verification flow. No public exploit has been identified at time of analysis, but the zero-prerequisite attack surface and public advisory disclosure make this an accessible target for any unauthenticated actor who can reach the endpoint.

SSRF
NVD GitHub
MEDIUM PATCH This Month

Server-Side Request Forgery in OpenAM's /sessionservice endpoint allows authenticated attackers to register arbitrary URLs for session event notifications, causing the IAM server to make outbound HTTP requests to attacker-controlled destinations. Affected versions are org.openidentityplatform.openam:openam-core up to and including 16.0.6; the flaw was patched in release 16.1.1. No public exploit code or CISA KEV listing has been identified at time of analysis, but the authentication barrier is low (any valid session), and deployment context - a central enterprise authentication gateway - elevates the downstream risk of internal network reconnaissance or session data exfiltration.

SSRF
NVD GitHub
EPSS 0% CVSS 5.8
MEDIUM POC PATCH This Month

Server-side request forgery in phpseclib's X.509 validation allows unauthenticated network attackers to force the validating server to open arbitrary outbound connections to attacker-controlled hosts, including internal loopback addresses (127.0.0.1) and cloud metadata endpoints (169.254.169.254). The flaw exists because X509::validateSignature() unconditionally fetches URLs embedded in the Authority Information Access extension of untrusted certificates with no blocklist or destination filtering - and this behavior is enabled by default across all three maintained release branches. No CISA KEV listing exists at time of analysis, and no weaponized public exploit was referenced, though the GitHub advisory provides exact file and line references making the trigger path immediately reproducible.

SSRF PHP Phpseclib
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Server-Side Request Forgery in IBM Watson Speech Services Cartridge (versions 4.0.0 through 5.3.1) lets an authenticated attacker coerce the system into issuing crafted requests to internal or external hosts, enabling internal network enumeration and pivoting toward follow-on attacks. The weakness lives in the embedded IBM Sterling File Gateway component used by the speech runtimes (GHSA-rr7j-v2q5-chgv). No public exploit identified at time of analysis; EPSS is low (0.18%, 8th percentile) and CISA SSVC marks exploitation as none, so this is a patch-priority issue rather than an emergency.

IBM SSRF Ibm Watson Speech Services Cartridge
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Server-side request forgery in IBM WebSphere Application Server 8.5 and 9.0 allows remote unauthenticated attackers to coerce the server into issuing arbitrary outbound requests when the Ajax Proxy is configured, enabling security bypass and information disclosure. IBM has released fixes and no public exploit is identified at time of analysis; EPSS is low (0.23%, 14th percentile) and SSVC marks exploitation as 'none' despite a CVSS of 9.1.

IBM SSRF Information Disclosure +1
NVD VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

Server-side request forgery in Activepieces through version 0.83.0 enables authenticated remote attackers to coerce the server into issuing arbitrary HTTP requests to attacker-controlled destinations via the `handleUrlFile` function in the File URL Handler component. The vulnerability spans the entire documented release history from 0.1 to 0.83.0, and a public exploit write-up is available on GitHub, materially lowering the exploitation barrier. The vendor did not respond to responsible disclosure, meaning no patch has been released at time of analysis and no official remediation guidance exists.

SSRF Activepieces
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Server-side request forgery in LiteLLM's experimental MCP OpenAPI Spec Loader allows authenticated remote attackers to coerce the server into issuing arbitrary HTTP requests by supplying a malicious `spec_path` value to the `load_openapi_spec_async` function. Affected versions are LiteLLM 1.82.0 through 1.82.2 as confirmed by EUVD. A public proof-of-concept exploit exists on GitHub, though the vulnerability is not in CISA KEV and the CVSS 4.0 score of 2.1 with E:P modifier reflects low-severity, authenticated exploitation with a known but apparently limited threat footprint.

SSRF Litellm
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Server-side request forgery in BerriAI LiteLLM versions up to 1.82.2 allows authenticated remote attackers to induce the proxy server to make arbitrary outbound HTTP requests by manipulating the MCP (Model Context Protocol) Server Connection Testing endpoint. The vulnerable function `_execute_with_mcp_client` in the experimental MCP server component fails to validate or restrict user-supplied connection targets, enabling internal network probing, potential access to cloud metadata services, and circumvention of network segmentation controls. A publicly available proof-of-concept exploit exists (GitHub gist by YLChen-007); no CISA KEV listing was present at time of analysis. The CVSS 4.0 reported score of 2.1 reflects threat-metric downgrade from E:P (proof-of-concept) and should not be taken as indicative of low inherent exploitability - the base network vector with low-privilege access represents a meaningful internal network exposure risk.

SSRF Litellm
NVD VulDB GitHub
EPSS 0% CVSS 6.1
MEDIUM This Month

Full-read SSRF in AVideo through version 27.0 allows authenticated administrators to make the server fetch arbitrary URLs via the statsURL parameter in plugin/Live/test.php, including cloud metadata endpoints and internal network services. The endpoint bypasses the codebase's own isSSRFSafeURL() guard - used in seven other endpoints - and returns full response bodies in the HTML output, enabling retrieval of IAM credentials from cloud metadata services such as 169.254.169.254, internal service data, and network configuration details. No public exploit code has been formally labeled as proof-of-concept, but the GHSA advisory discloses the complete vulnerable code path with all three sink functions (file_get_contents, curl_exec, wget), making exploitation trivial for any party who has read the advisory.

PHP SSRF Avideo
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Server-side request forgery in Capgo's webhook URL validation exposes internal infrastructure to organization admins who can direct the backend to issue HTTP requests against loopback and private addresses (localhost, 127.0.0.1). All Capgo versions prior to 12.128.2 are affected per the GitHub Security Advisory GHSA-48hc-53hv-6x3f. The vulnerability is particularly dangerous in cloud-hosted deployments where the backend server can reach instance metadata services (e.g., AWS IMDS), and error responses are disclosed directly to the triggering user, enabling iterative internal network reconnaissance. No public exploit identified at time of analysis and no CISA KEV listing, but the authenticated-admin attack path lowers the effective barrier in multi-tenant SaaS environments.

SSRF Capgo
NVD GitHub VulDB
EPSS 1% CVSS 9.3
CRITICAL PATCH Act Now

Flowise before 2.1.4 allows configuration to be injected into the Chainflow during execution via the overrideConfig option, supported in both the frontend web integration and the backend Prediction. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.

RCE Code Injection Denial Of Service +2
NVD GitHub VulDB
EPSS 0% CVSS 5.8
MEDIUM PATCH This Month

Incomplete SSRF remediation in mailpit v1.29.2 through v1.30.1 leaves the Link Check API bypassable via IPv6 transition mechanism literals (6to4, NAT64, IPv4-compatible IPv6, ISATAP, Teredo) and unclassified IPv6 prefixes (fec0::/10, 2001:db8::/32) that Go's stdlib Is* classification helpers silently pass. An unauthenticated network attacker who can deliver email to mailpit's SMTP listener and invoke the Link Check API can coerce the application into dialing internal IPv4 destinations - including cloud metadata endpoints at 169.254.169.254 - by encoding the target as an IPv6 literal that returns false for all seven predicates in IsInternalIP, bypassing the guard introduced for CVE-2026-27808. Publicly available exploit code exists in the form of a reproducible unit test and end-to-end proof-of-concept published in the advisory; this is the same deny-list bypass class confirmed in CVE-2026-44430 (MCP Registry) and CVE-2026-45741 (Gotenberg).

Gitlab Python Microsoft +2
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Server-Side Request Forgery and arbitrary JavaScript injection in Craft CMS 4.x (before 4.18) and 5.x (before 5.10) allow remote unauthenticated attackers to poison the Host or X-Forwarded-Host header against the /actions/app/resource-js endpoint, forcing the backend Guzzle client to proxy attacker-controlled content as application/javascript. When the instance sits behind a caching layer, this chains into web cache poisoning, stored XSS in the Control Panel, and 1-click RCE via session-riding the plugin install action. No public exploit identified at time of analysis, though the GitHub Security Advisory (GHSA-c55v-343g-5xff) provides detailed exploitation mechanics.

SSRF RCE Apache +2
NVD GitHub
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

Server-Side Request Forgery in Mercator's CVE configuration panel allows authenticated users holding the low-privilege 'configure' permission to coerce the application server into issuing arbitrary outbound network requests to any internal or external host. Affected versions prior to 2025.05.19 pass user-supplied URLs directly to curl_init() in ConfigurationController::testProvider() with no scheme, hostname, or private-IP validation; the intended /api/dbInfo suffix restriction is trivially defeated by appending a # fragment character, granting full URL control. Support for the telnet:// scheme enables internal TCP port scanning, while gopher:// permits raw protocol-level interaction with unauthenticated internal services such as Redis and Memcached, creating a realistic path to Remote Code Execution on those systems under common deployment conditions. No public exploit code or CISA KEV listing has been identified at time of analysis.

RCE Redis SSRF +1
NVD GitHub VulDB
EPSS 0% CVSS 6.3
MEDIUM This Month

Server-Side Request Forgery in AWX's GitHub webhook integration (Red Hat Ansible Automation Platform 2) enables a remote attacker possessing a job template's webhook_key to redirect PAT-bearing status callbacks to an attacker-controlled endpoint, exfiltrating the configured GitHub Personal Access Token. The attack exploits AWX's failure to validate that the pull_request.statuses_url field in an incoming webhook payload points to a legitimate GitHub API domain before using it as a POST target. No public exploit is identified at time of analysis, but successful exploitation yields persistent GitHub repository access through the stolen PAT, extending the blast radius well beyond the AWX system itself.

SSRF Red Hat Ansible Automation Platform 2 Red Hat
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM POC PATCH This Month

PhpWeasyPrint (pontedilana/php-weasyprint) prior to version 2.6.0 enables server-side request forgery and local file disclosure through its `attachment` option, which passes any URL-shaped value through PHP's `file_get_contents()` without restricting the URL scheme. Applications that expose the `attachment` option to user-controlled input allow an attacker to probe internal HTTP endpoints (including cloud instance metadata services) and read arbitrary local files by supplying schemes such as `file://` or `php://filter/...`, with exfiltrated content embedded directly into the generated PDF output. This is the same vulnerability class patched in KnpLabs/snappy (GHSA-c5fp-p67m-gq56); no public exploit or CISA KEV listing exists at time of analysis.

PHP SSRF Php Weasyprint
NVD GitHub VulDB
CVSS 5.3
MEDIUM PATCH This Month

Unauthenticated callers can trigger server-side request forgery against NL Portal Backend Libraries (nl.nl-portal:form versions 1.1.0.RELEASE through 3.0.3) by invoking the public GraphQL resolvers `getFormDefinitionByObjectenApiUrl` or `getFormDefinitionById`, causing the backend to issue outbound HTTP requests bearing a privileged Objecten-API `Authorization: Token` header to a caller-influenced URL on the configured Objecten-API host. The SSRF is constrained to the same configured host by a host-equality guard, and arbitrary data disclosure is further limited by strict typed deserialization in Kotlin, which keeps practical real-world impact at Medium despite unauthenticated network access. A lab proof-of-concept was confirmed by the reporter against the real Spring WebFlux stack; no public exploit code has been independently identified and the vulnerability is not listed in CISA KEV.

Authentication Bypass Deserialization Java +1
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

Server-Side Request Forgery in the Bit Integrations WordPress plugin (all versions through 2.8.7) allows unauthenticated attackers to force the web server to issue arbitrary HTTP requests to internal or external locations via the upload_attachment function. Exploitation enables querying and modifying data from internal services reachable by the web server, including metadata services in cloud environments, internal APIs, or private network endpoints. No public exploit is identified at time of analysis, but the attack requires only a default integration configuration, substantially lowering the practical barrier to exploitation.

Google WordPress SSRF +1
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Server-Side Request Forgery in the Advanced Import WordPress plugin (all versions through 1.4.6) allows authenticated users holding Author-level access or higher to force the web server to issue HTTP requests to arbitrary internal or external URLs via the demo_download_and_unzip() AJAX handler. The critical design flaw is the inconsistent use of wp_remote_get() instead of WordPress's own wp_safe_remote_get() - which the plugin correctly employs elsewhere - meaning no SSRF-aware URL validation is applied to the 'demo_file' POST parameter when 'demo_file_type' is set to 'url'. No public exploit code has been identified at time of analysis, but the scope change in the CVSS vector reflects that successful exploitation escapes the WordPress application boundary and can reach internal network services, including cloud instance metadata endpoints such as AWS IMDSv1.

XSS WordPress SSRF +1
NVD
CVSS 5.8
MEDIUM PATCH This Month

Unauthenticated SSRF in signalk-server ≤2.27.0 allows remote attackers to force the server to make arbitrary HTTP/HTTPS requests to any destination, including RFC 1918 private ranges, loopback, and cloud metadata services at 169.254.169.254. On default installations where no admin user has been created, the security middleware is a no-op, meaning all three vulnerable endpoints are completely unauthenticated over the network. A detailed public PoC is included in the GitHub advisory demonstrating internal network scanning, AWS IAM credential theft via IMDSv1, and path-traversal-assisted targeted data exfiltration; no CISA KEV listing is present at time of analysis.

Microsoft Docker Kubernetes +4
NVD GitHub
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

Server-side request forgery in Gotenberg v8.33.0 and earlier allows remote unauthenticated attackers to coerce the server into making arbitrary outbound HTTP(S) requests and to disclose local image files by uploading a crafted DOCX to the /forms/libreoffice/convert endpoint. The flaw stems from LibreOffice automatically resolving external and local resources referenced in <img> tags during conversion, exposing internal networks and on-disk image files. Publicly available exploit code exists via the vendor's GHSA-2mrg-35hw-x3x9 advisory, though no CISA KEV listing or EPSS data is available at time of analysis.

Debian OpenSSL SSRF
NVD GitHub
EPSS 0% CVSS 2.3
LOW PATCH Monitor

Server-Side Request Forgery in Zitadel's outgoing HTTP subsystems - HTTP Notification Channel webhooks, OIDC BackChannel Logout endpoints, and SAML Metadata URL fetches - enables authenticated users with application configuration privileges to force the Zitadel server to issue HTTP requests to internal network addresses, loopback interfaces, and cloud metadata endpoints such as the link-local IMDSv1 address 169.254.169.254. The pre-existing denylist for the Actions subsystem was additionally bypassable via DNS rebinding (TOCTOU), HTTP redirect following, and HTTPS-to-HTTP protocol downgrade, and all three newly affected components lacked denylist coverage entirely. No public exploit code has been identified at time of analysis; however, the vulnerability was independently reported by 13+ researchers, and a vendor patch is available in v4.15.2 with no backport for the v3.x branch.

Microsoft SSRF
NVD GitHub VulDB
EPSS 0% CVSS 7.2
HIGH This Week

Server-Side Request Forgery in the CF7 to Webhook WordPress plugin (versions up to and including 5.0.0) allows unauthenticated attackers to coerce the WordPress server into issuing arbitrary outbound HTTP requests through the pull_the_trigger functionality. Exploitation is conditional on an administrator configuring the webhook URL with a Contact Form 7 field placeholder inside the host portion of the URL, with the form publicly reachable. No public exploit identified at time of analysis, and there is no CISA KEV listing for this vulnerability.

WordPress SSRF Cf7 To Webhook
NVD VulDB
EPSS 0% CVSS 8.2
HIGH This Week

Server-side request forgery in Typebot chatbot builder before version 3.17.2 allows remote unauthenticated attackers to bypass SSRF protections via DNS rebinding, reaching internal services and cloud metadata endpoints. The validator resolves a hostname once for allowlist checks, but the subsequent HTTP request performs a fresh DNS resolution without IP pinning, creating a time-of-check to time-of-use (TOCTOU) gap. No public exploit identified at time of analysis, though the fix commit and detailed advisory are publicly available on GitHub.

SSRF Typebot Io
NVD GitHub
EPSS 0% CVSS 3.1
LOW POC PATCH Monitor

Authentication token leakage in Black Lantern Security's bbot docker_pull module exposes Docker credentials to MITM attackers who can substitute the realm parameter in a forged WWW-Authenticate Bearer challenge. When bbot contacts a Docker registry and receives a 401 response, the vulnerable module blindly trusts the attacker-supplied realm URL and forwards authentication material to an arbitrary endpoint outside the legitimate registry domain. No public exploit code has been identified and the vulnerability is not listed in CISA KEV, but an upstream patch commit is available on GitHub.

SSRF Docker Bbot
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL POC PATCH Act Now

Authentication bypass in Network-AI versions 5.7.1 and earlier allows unauthenticated remote attackers to invoke all 22 MCP tools on the SSE server because the default secret is empty and `_isAuthorized()` returns true when no secret is configured. Despite the partial fix for CVE-2026-46701 in 5.4.5 (which restricted CORS to localhost origins), any non-browser caller - curl, SSRF, or a service exposed via a 0.0.0.0 bind - can still call privileged operations like `config_set`, `agent_spawn`, `blackboard_write`, and token management with zero credentials. No public exploit identified at time of analysis, but the GHSA advisory includes annotated source-code locations that effectively serve as a roadmap for exploitation.

SSRF Authentication Bypass Node.js +1
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

XML External Entity injection in the HAPI FHIR core library (Maven ca.uhn.hapi.fhir:org.hl7.fhir.utilities, versions <= 6.9.9) lets an attacker who controls or MITMs XML routed through XsltUtilities.saxonTransform(...) read local files and perform blind XXE/SSRF. The three saxonTransform overloads instantiate a bare net.sf.saxon.TransformerFactoryImpl that resolves external general and parameter entities, unlike the co-located transform() siblings that use the project's hardened XXE-protected factory. Publicly available exploit code exists (a full end-to-end PoC accompanies the GitHub advisory), though there is no public exploit identified as actively used in the wild.

Apache Java XXE +1
NVD GitHub VulDB
EPSS 0% CVSS 7.7
HIGH PATCH This Week

SSRF protection bypass in Open WebUI's SafePlaywrightURLLoader (versions <= 0.9.5) allows authenticated users to access internal network resources by supplying an externally-hosted URL that returns an HTTP 301/302 redirect to a private address. Because Playwright's page.goto() automatically follows redirects without re-validating the destination, attackers can reach localhost, container-network peers, or cloud metadata endpoints (169.254.169.254) even when ENABLE_RAG_LOCAL_WEB_FETCH=False. A working PoC is published in the GHSA advisory; there is no public exploit identified at time of analysis being actively used, and no CISA KEV listing.

Python SSRF Docker
NVD GitHub
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Authenticated path traversal and SSRF in Open WebUI's terminal-server reverse proxy (versions <= 0.9.5) allows non-admin users with granted terminal access to escape the intended path or policy scope using double-encoded traversal sequences (%252e%252e). The flaw bypasses the project's own _sanitize_proxy_path mitigation, which performs only a single URL-decode pass before the '..' check, letting attackers reach unintended endpoints, files, and internal services routed by the terminal server. No public exploit identified at time of analysis, though the vendor advisory includes working proof-of-concept request strings.

Path Traversal Python SSRF
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Cross-user file disclosure in Open WebUI (pip package open-webui, versions ≤ 0.9.5) allows any authenticated user to read the content of files uploaded by other users by supplying a victim's file UUID as the image_url.url value in POST /api/chat/completions. The server's image-conversion middleware resolves the UUID against the global file table with no ownership check, base64-encodes the file, and injects it into the LLM prompt, from which the attacker reads the content via a transcription instruction. No KEV listing confirms active exploitation, but a complete step-by-step reproduction proof-of-concept is embedded in the public GitHub Security Advisory (GHSA-wch8-mhj5-9frg), materially increasing exploitation likelihood; the vendor-released fix is version 0.9.6.

Python Authentication Bypass SSRF
NVD GitHub VulDB
EPSS 0% CVSS 8.5
HIGH PATCH This Week

Server-side request forgery in Open WebUI versions 0.9.5 and earlier allows authenticated OAuth users to read arbitrary internal HTTP responses by abusing the `_process_picture_url` function in `backend/open_webui/utils/oauth.py`, which validates only the initial URL and then permits aiohttp's default 10-redirect follow chain to reach internal addresses. The decoded response body is stored in the attacker's `profile_image_url` and retrievable via `GET /api/v1/auths/`, yielding cloud metadata credentials and access to localhost-bound services. Publicly available exploit code exists (detailed sentinel-verified PoC supplied by the reporter); no public exploit identified at time of analysis in the form of weaponized tooling, and the CVE is not on the CISA KEV list.

Python PostgreSQL Microsoft +6
NVD GitHub
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Server-Side Request Forgery in NocoDB's base-migration endpoint allows authenticated workspace owners to coerce the migration worker into issuing requests using arbitrary URL schemes - including file:// and ftp:// - enabling local file disclosure and interaction with non-HTTP services. The affected package is pkg:npm/nocodb at versions up to and including 0.301.3; no released patched version has been confirmed at time of analysis. Exploitation is constrained to principals holding the workspace owner role, but within that privilege tier no additional conditions are required to trigger the vulnerability. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis.

SSRF
NVD GitHub
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Server-Side Request Forgery in NocoDB's spreadsheet-fetch endpoint (`axiosRequestMake`) allows authenticated users with editor-level permissions to coerce the NocoDB server into issuing HTTP requests to cloud metadata services (e.g., AWS IMDSv1 at `169.254.169.254`) and other internal network resources reachable from the NocoDB process. Two distinct defensive failures enabled the attack: an un-anchored file-extension allowlist that accepted `.xlsx` anywhere in the URL path, and a hand-rolled IP blocklist that omitted `127.0.0.0/8` and `169.254.0.0/16`. On cloud-hosted deployments, this functions as a credential-exfiltration primitive. No public exploit has been identified at time of analysis, but the attack pattern is trivially reproducible from the advisory text alone.

SSRF
NVD GitHub
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

Server-Side Request Forgery in Pydantic AI (versions 1.56.0-1.101.0, 2.0.0b1, 2.0.0b2) allows unauthenticated network attackers to bypass the cloud-metadata IP blocklist by encoding metadata service addresses (e.g., 169.254.169.254) in IPv6 transition forms - specifically IPv4-compatible IPv6, NAT64 RFC 8215 local-use prefixes, operator-chosen NAT64 prefixes, and ISATAP - that the prior remediation (CVE-2026-46678) failed to decode, enabling retrieval of cloud IAM short-term credentials. Exploitation is constrained by two simultaneous prerequisites: the application must use the non-default `force_download='allow-local'` mode and must operate on a network that routes the affected IPv6 transition forms (e.g., IPv6-only or dual-stack-with-NAT64 Kubernetes clusters). This is the third iteration in an escalating bypass chain (CVE-2026-25580 → CVE-2026-46678 → CVE-2026-48782), and no public exploit has been identified at time of analysis.

Python Kubernetes SSRF +3
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Unauthenticated server-side request forgery in Crawl4AI's Docker API server (versions < 0.8.9) lets remote attackers reach internal services and cloud-metadata endpoints by supplying a proxy address that bypasses the crawl-URL validation. Because the Docker API is unauthenticated by default and the SSRF check was only applied to the crawl target - not to the proxy destination - an attacker can route Chromium's egress through an internal IP (e.g. AWS IMDSv1 at 169.254.169.254) and read the response verbatim from the crawl result. No public exploit is identified at time of analysis, but the reporter supplied a working PoC and EPSS risk is low (0.29%, 20th percentile).

Google SSRF Docker
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Server-Side Request Forgery in Crawl4AI's Docker API server (versions <= 0.8.7) allows unauthenticated remote attackers to bypass the IPv4/IPv6 CIDR blocklist in validate_webhook_url/validate_url_destination by using IPv6 transition forms (NAT64, 6to4, IPv4-mapped, IPv4-compatible) or the unspecified address. Since the Docker API ships with jwt_enabled:false by default, attackers can pivot the server into fetching cloud metadata endpoints like 169.254.169.254, potentially exposing IAM credentials. No public exploit identified at time of analysis, but the upstream advisory (GHSA-4qqr-vv2q-cmr5) details the exact bypass payloads.

Docker SSRF Oracle
NVD GitHub
EPSS 2% CVSS 9.0
CRITICAL POC PATCH Act Now

Unauthenticated server-side request forgery in LobeHub's `/webapi/proxy` endpoint (versions <= 2.1.56) allows any remote attacker to proxy arbitrary HTTP requests through LobeHub's infrastructure and inject attacker-controlled `Set-Cookie` headers onto the `lobehub.com` domain. The flaw stems from the route handler omitting the `checkAuth()` wrapper that protects every other webapi route, enabling SSRF, infrastructure reconnaissance against Vercel internals, and a CSRF-to-session-fixation chain against Clerk auth cookies. Publicly available exploit code exists (working curl PoCs and a CSRF HTML PoC are included in the GitHub Security Advisory GHSA-xmwj-c75x-6346); no public exploit identified at time of analysis in CISA KEV.

CSRF SSRF
NVD GitHub
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

HTTP redirect validation bypass in Hugo v0.91.0-v0.161.1 allows the `resources.GetRemote` build-time HTTP client to follow 3xx redirects to hosts explicitly forbidden by the `security.http.urls` allow-list, enabling server-side request forgery (SSRF) against internal network targets. Build pipelines that rely on `security.http.urls` as a trust boundary - for example, CI systems that fetch from semi-trusted external hosts while restricting access to internal metadata services or private IP ranges - are the primary risk population. No public exploit has been identified at time of analysis, and exploitation requires an attacker to control or manipulate an already-permitted external host.

SSRF
NVD GitHub
EPSS 0% CVSS 5.2
MEDIUM PATCH This Month

WebSocket connections in Deno 2.8.0 and earlier silently bypass `--deny-net` network sandbox rules by exploiting a missing post-DNS-resolution IP check - the runtime validates the destination hostname but never validates the IP address that hostname resolves to, enabling a classic DNS-rebinding-style SSRF (CWE-918) within the permission system. Any script running under `deno run` with `--deny-net` restrictions can weaponize an attacker-controlled domain to reach blocked hosts such as localhost or cloud metadata endpoints (e.g., 169.254.169.254). No public exploit has been identified at time of analysis, and the issue is specific to the WebSocket API; `Deno.connect` and `fetch()` are addressed in a companion advisory.

SSRF
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Regex translation in the @astrojs/netlify adapter broadens Astro's image.remotePatterns beyond the intended allowlist when building for Netlify deployment, enabling unauthorized image fetches from apex hosts and deeper URL paths. Versions of @astrojs/netlify prior to 7.0.13 (confirmed vulnerable at 7.0.10) generate Netlify Image CDN regex patterns that make wildcard subdomains optional and omit end-anchoring on pathname segments, causing the Netlify CDN to accept URLs that Astro's canonical matcher would reject. Unauthenticated public requesters can exploit this to cause the Netlify Image CDN to fetch image-like resources from hosts or paths outside the developer's intended scope, constituting a partial SSRF bypass against the image proxy allowlist. No active exploitation has been confirmed in CISA KEV, but a detailed reproduction is included in the GHSA advisory.

Canonical Node.js SSRF
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

{scheme}://{host}{path}` without validating the path prefix, and RFC 3986 §3.2.1 re-parsing then interprets the `@` symbol as a userinfo delimiter, shifting hostname authority to the attacker-supplied value. Exploitation is constrained to middleware or 404/exception handlers that act on `request.url` before routing, since the malformed path matches no registered route; no active exploitation is confirmed (not in CISA KEV) and no public exploit code beyond the advisory PoC has been identified.

Google SSRF Suse
NVD GitHub VulDB
EPSS 0% CVSS 4.4
MEDIUM This Month

Server-Side Request Forgery (SSRF) in the PopAd WordPress plugin by Vynnus allows an authenticated administrator to cause the server to make forged outbound HTTP requests to arbitrary destinations, including internal network resources. All versions through 1.0.4 are affected per CPE data (cpe:2.3:a:vynnus:popad). The scope change (S:C) in the CVSS vector confirms that successful exploitation can reach systems beyond the WordPress host itself, enabling lateral pivoting into internal infrastructure. No public exploit identified at time of analysis.

SSRF Popad
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Server-side request forgery in Starlette's StaticFiles on Windows allows unauthenticated remote attackers to coerce the application process into making outbound SMB connections to attacker-controlled hosts, leaking the service account's NTLMv2 hash for offline cracking or NTLM relay. The flaw affects all Starlette versions before 1.1.0 (including downstream frameworks like FastAPI) when running on Windows in the default follow_symlink=False configuration, and no public exploit identified at time of analysis though the GHSA advisory provides full technical detail sufficient to reproduce.

Python Nginx Microsoft +1
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Server-side request forgery in @angular/platform-server allows remote unauthenticated attackers to bypass the allowedHosts allowlist by sending a malformed Host header or absolute-form request URI (e.g., 'evil.com:80:80'), causing the SSR runtime to redirect outbound HttpClient requests to attacker-controlled origins. The flaw stems from a parser differential between Node's strict WHATWG URL parser (used for allowlist validation) and Domino's lenient parser (used for DOM origin resolution). No public exploit identified at time of analysis, but proof-of-concept patterns are documented in the GitHub Security Advisory GHSA-xrxm-cp7j-8xf6.

SSRF
NVD GitHub HeroDevs VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

Server-side request forgery in python-utcp 1.1.0's utcp-gql and utcp-websocket components allows remote low-privileged attackers to coerce the server into issuing arbitrary outbound HTTP requests, potentially reaching internal infrastructure not exposed to the public internet. The affected library implements the universal-tool-calling-protocol and the vulnerable code paths reside in its GraphQL and WebSocket transport handlers. A public exploit has been disclosed via GitHub, and the vendor did not respond to coordinated disclosure, leaving no official patch available at time of analysis.

Python SSRF Python Utcp
NVD VulDB GitHub
EPSS 0% CVSS 8.1
HIGH This Week

An authenticated Server-Side Request Forgery (SSRF) in the custom scraper subsystem component of Benjamin Jonard Koillection v1.8.0 allows attackers to scan internal resources via supplying a crafted URL.

SSRF N A
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL Act Now

Server-side request forgery in Shlink v5.0.1's automatic short URL title resolution allows remote unauthenticated attackers to probe internal network resources by submitting a crafted longUrl value. The flaw carries a CVSS 9.1 rating reflecting high confidentiality and integrity impact, though EPSS exploitation probability remains low at 0.15% and there is no public exploit identified at time of analysis beyond a referenced gist. Shlink is a self-hosted URL shortener, making this a meaningful pivot point for attackers targeting internal infrastructure behind the shortener host.

SSRF N A
NVD GitHub
EPSS 0% CVSS 6.0
MEDIUM PATCH This Month

Credential exposure via SSRF in OpenClaw's message.action forwarding allows authenticated remote attackers to redirect Gateway token-bearing action payloads to attacker-supplied loopback URLs, resulting in full confidentiality compromise of Gateway credentials. Affected versions are all OpenClaw releases prior to 2026.5.2; the flaw is rooted in insufficient validation of model-controlled metadata that governs action routing. No public exploit code has been identified and this CVE is not listed in the CISA KEV catalog at time of analysis, though the Gateway credential theft impact warrants prompt patching in any deployment where OpenClaw interacts with privileged backend services.

SSRF Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 3.7
LOW Monitor

Server-Side Request Forgery in ApostropheCMS through version 4.30.0 allows unauthenticated remote attackers to pivot the Node.js application process into issuing outbound HTTP requests to arbitrary hosts on the internal network when the `prettyUrls` SEO feature is explicitly enabled on the `@apostrophecms/file` module. The attack exploits the raw `Host` HTTP request header, which the pretty-URL handler uses verbatim to construct and `fetch()` an upstream URL, streaming the full HTTP response - status code, headers, and body - back to the requester. Practical impact is constrained to blind SSRF (network-topology probing via response-code and timing oracles, and verbose proxy or WAF error-body disclosure) rather than arbitrary data exfiltration; no patch exists at time of publication and no public exploit has been identified.

Node.js SSRF Apostrophe
NVD GitHub
EPSS 0% CVSS 6.3
MEDIUM POC PATCH This Month

SSRF in Koel's radio station creation endpoint (POST /api/radio/stations) allows any authenticated non-admin user to coerce the server into issuing HEAD/GET requests to arbitrary internal hosts. The root cause is a missing Laravel `bail` keyword in the URL field validation chain: the SafeUrl rule correctly rejects private/reserved addresses, but without bail, the subsequent HasAudioContentType rule still executes and makes an outbound HTTP request to the attacker-supplied URL. Vendor-released patch version 9.7.1 resolves the issue; no public exploit or CISA KEV listing exists at time of analysis.

SSRF Koel
NVD GitHub
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Server-Side Request Forgery in GeoServer 2.26.x prior to 2.26.4 and 2.27.x prior to 2.27.3 allows unauthenticated remote attackers to coerce the server into issuing HTTP requests to attacker-chosen destinations by abusing weak prefix matching of the proxy base URL inside the XML entity resolver. No public exploit identified at time of analysis, and EPSS exploitation probability sits at 0.06% (19th percentile), but the trivial network-only attack vector and default-enabled ENTITY_RESOLUTION_ALLOWLIST since 2.25.0 raise the realistic exposure for internet-facing instances.

Atlassian SSRF
NVD GitHub VulDB
EPSS 0% CVSS 4.9
MEDIUM PATCH This Month

Server-side request forgery in OpenClaw's Playwright-backed browser control allows authenticated low-privilege users to circumvent private-network navigation guards by chaining action-triggered redirects through the Playwright act interaction mechanism. All OpenClaw versions prior to 2026.5.18 are affected, and subsequent browser evaluation APIs can be abused to read the content of private-network pages - including internal services, admin panels, or cloud metadata endpoints reachable from the server. No public exploit code and no CISA KEV listing have been identified at time of analysis; however, the subsequent-system confidentiality impact is rated High in the CVSS 4.0 vector, reflecting meaningful data-disclosure potential in cloud-hosted or internally networked deployments.

SSRF Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Server-side request forgery in steipete/Summarize before v0.17.0 enables an attacker who controls a podcast RSS feed to coerce the application into fetching transcript content from loopback addresses, link-local addresses, RFC 1918 private ranges, and other reserved destinations. The vulnerability is compounded by two bypass mechanisms: DNS rebinding (allowing an attacker to pass an initial hostname check then resolve to an internal target) and unvalidated redirect-following (where intermediate redirect targets are never re-screened). Exploitation exposes internal service responses through the summarization pipeline to the attacker. No active exploitation is confirmed (not in CISA KEV), and no public exploit code has been identified; a vendor patch is available as v0.17.0.

SSRF Summarize
NVD GitHub VulDB
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Server-side request forgery in Garlic-Hub digital signage manager prior to version 1.1 allows authenticated users to coerce the server into issuing arbitrary HTTP requests to internal services via the uploadFromUrl endpoint. Responses are stored in the publicly accessible media pool, enabling internal port scanning, service fingerprinting, and exfiltration of internal HTTP responses. No public exploit identified at time of analysis, but the upstream commit (076b6d7) and GHSA-x24v-76hr-989r advisory disclose the patched validator logic.

SSRF Garlic Hub
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Server-side request forgery in the Fediverse Embeds WordPress plugin before 1.5.8 lets any unauthenticated visitor coerce the WordPress host into issuing arbitrary outbound HTTP requests and returns the full response body to the caller, turning the site into a full-read open proxy. The flaw stems from the ftf/media-proxy REST route being registered with permission_callback => __return_true and a dead allowlist check whose result was never honored before wp_remote_get was invoked on a base64-decoded attacker-supplied URL. No public exploit identified at time of analysis, but the bug is trivial to weaponize against internal cloud metadata endpoints and intranet services from any reachable WordPress install.

PHP WordPress SSRF
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Server-Side Request Forgery in the Fediverse Embeds WordPress plugin (versions prior to 1.5.9) allows any unauthenticated visitor to cause the WordPress server to fetch an arbitrary URL by abusing a publicly exposed AJAX endpoint. The nonce mechanism guarding the endpoint (`ftf-fediverse-embeds-nonce`) is not an authentication boundary - the same nonce is embedded into every public page containing a fediverse embed, making it trivially obtainable by any site visitor. Once obtained, the nonce can be replayed to invoke `file_get_html($site_url)` with an attacker-controlled URL, potentially exposing internal services such as cloud provider metadata endpoints. No active exploitation has been confirmed (CVE is not in CISA KEV) and no public proof-of-concept has been identified at time of analysis.

PHP WordPress SSRF
NVD GitHub VulDB
EPSS 0% CVSS 5.8
MEDIUM PATCH This Month

Server-side request forgery in Kolibri (pip/kolibri <= 0.19.3) allows network-reachable attackers to force the Kolibri server to issue outbound HTTP requests to arbitrary internal hosts, cloud metadata endpoints, and internal services, with JSON response bodies reflected directly to the caller. The primary GET endpoint at /api/auth/remotefacilityuser required no authentication whatsoever, making this exploitable by any party with network access to the Kolibri server. A working proof-of-concept was retained internally by the reporting researcher but was not published; no public exploit code exists and CISA KEV listing has not been identified at time of analysis.

Python Microsoft Docker +3
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Server-side request forgery in IBM Langflow Desktop 1.0.0 through 1.9.2 enables authenticated network-based attackers to coerce the application into issuing arbitrary outbound HTTP requests on their behalf. The vulnerability, classified under CWE-918, can expose internal network topology by proxying requests through the server to otherwise inaccessible hosts, and may serve as a stepping stone for further lateral movement or credential harvesting from cloud metadata services. No public exploit code has been identified at time of analysis, and a vendor-released patch is available via IBM advisory.

SSRF IBM Langflow Desktop
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Server-Side Request Forgery (SSRF) in GitLab CE/EE's repository import feature allows an authenticated low-privileged user to read arbitrary files from the backend Gitaly server and probe internal network resources by supplying maliciously crafted secondary URLs that bypass input validation. Affected versions span the 18.10, 18.11, and 19.0 release lines, all patched by GitLab on 2026-06-10. No public exploit code and no CISA KEV listing have been identified at time of analysis, though the combination of authentication-only gating and network-accessible entry point makes this a meaningful lateral-movement risk in self-managed GitLab deployments.

Gitlab SSRF
NVD VulDB
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Server-Side Request Forgery in Spring Web Services (versions 3.1.0-3.1.8, 4.0.0-4.0.18, 4.1.0-4.1.3, and 5.0.0-5.0.1) allows remote unauthenticated attackers to coerce the server into initiating outbound HTTP connections to attacker-controlled or internal destinations by abusing WS-Addressing ReplyTo/FaultTo headers. The flaw stems from WebServiceMessageSender instances dispatching to destinations taken directly from SOAP request headers without validating that the targets are safe. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Java SSRF Spring Web Services
NVD VulDB HeroDevs
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Server-Side Request Forgery in the Fedify ActivityPub library (versions 0.11.2 through 2.2.3, with branch-specific cutoffs) allows remote attackers to coerce outbound fetches to non-public IPv4 destinations because the `isValidPublicIPv4Address()` allow-list misses several reserved, multicast, benchmarking, and CGNAT ranges. This is an incomplete-fix bypass of the SSRF mitigation originally tracked as GHSA-p9cg-vqcc-grcx, and at time of analysis there is no public exploit identified, though the underlying logic and patch diff are publicly disclosed in the GHSA-xw9q-2mv6-9fr8 advisory. Federated servers built on Fedify are exposed whenever they fetch attacker-controlled ActivityPub documents or media.

SSRF Fedify Vocab Runtime
NVD GitHub
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Server-Side Request Forgery in Weblate's VCS_RESTRICT_PRIVATE control (versions 5.15 through pre-2026.6) allows bypassing of outbound request restrictions via IPv6 transition address encoding techniques. By supplying a hostname whose DNS AAAA record resolves to a NAT64-wrapped, 6to4-wrapped, or IPv4-compatible IPv6 address that encodes a private IPv4 endpoint, an attacker causes Weblate's validator to pass the address as globally routable while the host kernel routes the packet to the embedded private IPv4 target. The vulnerability carries High confidentiality impact (CVSS 5.9, AV:N/AC:H) because SSRF can expose internal services such as cloud IMDS credential endpoints; no public exploit or CISA KEV listing has been identified at time of analysis.

SSRF Weblate Suse
NVD GitHub VulDB
EPSS 0% CVSS 7.6
HIGH PATCH This Week

Server-side request forgery in Splunk Enterprise (below 10.2.4, 10.0.7, 9.4.12, 9.3.13) and Splunk Cloud Platform lets a low-privileged authenticated user coerce the Dashboard Studio PDF export feature into issuing HTTP requests to arbitrary internal destinations. The flaw stems from a flawed prefix-match on trusted domains plus uncritical redirect-following by the PDF export service. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

SSRF Splunk Splunk Enterprise +1
NVD
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

SSRF and FTP bounce attacks are enabled in Erlang/OTP's ftp_internal module because the PASV handler blindly trusts the IP address returned in a server's 227 response, connecting the data channel to an attacker-controlled internal target without validating it against the control connection's actual peer address. All Erlang applications using the ftp client in its default passive IPv4 mode (ipfamily=inet, ftp_extension=false) across OTP 17.4 through pre-29.0.2 are affected, spanning both the legacy inets-bundled module and the standalone ftp application. No active exploitation has been confirmed (not in CISA KEV), but a functional proof-of-concept demonstrating the redirect attack is publicly embedded in the upstream fix commit, significantly lowering the exploitation barrier.

SSRF Otp Red Hat +1
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

{version,uptime,status,checks}/<server_ip>` route family passes the Flask URL path parameter directly into a Python `requests.get()` call without any allowlist or blocklist validation, making IPv4 literals such as 169.254.169.254, RFC1918 ranges, and 127.0.0.1 all valid targets. No publicly available patches exist at time of analysis, and no public exploit code or CISA KEV listing has been identified.

Python Nginx SSRF +1
NVD GitHub
EPSS 0% CVSS 3.5
LOW PATCH Monitor

Papra's webhook delivery system allows any authenticated organisation member to bypass SSRF protections and cause the server to issue HTTP requests to loopback, link-local, and RFC-1918 addresses by exploiting automatic redirect-following in the ofetch HTTP client. The SSRF blocklist is enforced on registered webhook URLs but never applied to 3xx redirect destinations, meaning an attacker-controlled server can return a 302/307 response pointing to any internal address and Papra's server will follow it. A public proof-of-concept is available and exploitation was confirmed against the official Docker image; no CISA KEV listing is present at time of analysis.

Python Docker Microsoft +1
NVD GitHub
EPSS 0% CVSS 10.0
CRITICAL Act Now

Server-side request forgery in Adobe Campaign Classic (ACC) versions 7.4.3 build 9394 and earlier escalates to arbitrary code execution in the context of the current user, with a maximum CVSS 10.0 reflecting unauthenticated network exploitation and scope change. No public exploit identified at time of analysis, but the vendor advisory APSB26-66 confirms the flaw and the trivial attack complexity (AC:L) combined with PR:N and UI:N makes ACC instances reachable from untrusted networks an urgent patch target. The scope change (S:C) indicates the SSRF pivots beyond the originating component, enabling reach into adjacent backend services typically isolated from external callers.

Adobe SSRF RCE
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Privilege escalation via server-side request forgery in Microsoft Exchange Server allows an authenticated attacker with low-level network access to coerce the Exchange server into making attacker-controlled requests, resulting in high impact to confidentiality, integrity, and availability. The flaw is network-exploitable with low complexity (CVSS 8.8) but requires prior authentication, and no public exploit identified at time of analysis. As a Microsoft-discovered issue (reported by secure@microsoft.com), it is consistent with the broader pattern of Exchange SSRF chains used to pivot to elevated mailbox or domain access.

Microsoft SSRF Exchange Server
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Server-side request forgery in Microsoft Exchange Server allows an authenticated attacker with low privileges to coerce the Exchange server into making arbitrary outbound requests, resulting in disclosure of sensitive information and potential integrity impact across internal network resources. The CVSS 8.1 score reflects the high confidentiality and integrity impact from a network-reachable, low-complexity attack, though no public exploit identified at time of analysis. The vulnerability is tagged as an Authentication Bypass / SSRF, suggesting the SSRF primitive may be leveraged to bypass network-based authentication boundaries (e.g., reaching internal trusted endpoints).

Authentication Bypass Microsoft SSRF +2
NVD VulDB
EPSS 0% CVSS 5.0
MEDIUM PATCH This Month

Server-side request forgery in Microsoft Exchange Server enables an authenticated low-privilege attacker to coerce the server into issuing outbound network requests to internal or external resources, resulting in information disclosure. Affected deployments span Exchange Server 2016 CU23, Exchange Server 2019 CU14 and CU15, and the current Subscription Edition - all at versions below their respective patched builds. No public exploit code exists and the vulnerability is not listed in the CISA KEV catalog at time of analysis, but the Changed scope in the CVSS vector indicates the server can reach resources beyond its own trust boundary, amplifying reconnaissance value for an already-authenticated adversary.

Microsoft SSRF Exchange Server +1
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH Exploit Unlikely This Month

Cross-site scripting and server-side request forgery in Microsoft Exchange Server enables authenticated low-privilege network attackers to perform spoofing and exfiltrate sensitive information. Affected are Exchange Server 2016 CU23, 2019 CU14, 2019 CU15, and the Subscription Edition RTM release lines, all below their respective patched cumulative update builds. No public exploit identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog, though Microsoft has released patches across all affected branches.

XSS Microsoft SSRF +2
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Server-side request forgery (SSRF) in Spring Framework's UriComponentsBuilder affects applications that use this API to parse and validate externally supplied URL strings. Incorrect host parsing allows a remote, unauthenticated attacker - with user interaction - to cause the application server to issue requests to unintended internal or external destinations, exposing low-level confidentiality and integrity impacts. No public exploit identified at time of analysis and no CISA KEV listing; however, SSRF in widely deployed Java frameworks warrants attention in any internet-facing application that processes user-controlled URLs.

Java SSRF Spring Framework
NVD VulDB
EPSS 0%
HIGH PATCH This Week

Authenticated arbitrary local file read in Basekick Labs Arc analytics platform allows any token holder - even one with an empty permissions array - to exfiltrate sensitive host files (auth.db bcrypt hashes, arc.toml S3/TLS secrets, /proc/self/environ) and pivot to SSRF against cloud metadata endpoints by abusing unblocked DuckDB I/O functions in the SELECT clause. The flaw stems from an incomplete regex denylist in internal/api/query.go that filtered only read_parquet and arc_partition_agg while leaving the wider DuckDB I/O family (read_csv_auto, read_json, read_text, read_blob, glob, parquet_metadata, read_xlsx, etc.) and SELECT-list scalar table functions unguarded. No public exploit identified at time of analysis, but the GHSA advisory ships a working single-request proof-of-concept and the fix is shipped in Arc 2026.06.1.

Path Traversal SSRF
NVD GitHub
Prev Page 3 of 32 Next

Quick Facts

Typical Severity
HIGH
Category
web
Total CVEs
2848

Related CWEs

MITRE ATT&CK

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy