Server-Side Request Forgery
Server-Side Request Forgery exploits applications that fetch remote resources based on user-supplied URLs.
How It Works
Server-Side Request Forgery exploits applications that fetch remote resources based on user-supplied URLs. When a web server accepts a URL parameter to retrieve external content—for example, to proxy images, validate webhooks, or import data—an attacker can manipulate that parameter to make the server send requests to unintended destinations. The critical issue is that these requests originate from the server itself, bypassing firewalls and network controls that would block direct external access.
Attacks come in several forms. Direct SSRF gives the attacker full control over the destination URL, allowing them to target internal services like http://localhost:8080/admin or cloud metadata endpoints at http://169.254.169.254/latest/meta-data/. Blind SSRF occurs when the application makes the request but doesn't return the response to the attacker—they must rely on timing differences or out-of-band techniques to confirm success. Partial SSRF restricts the attacker to modifying only part of the URL, such as the hostname or path, requiring more creative exploitation.
The typical attack flow starts with identifying URL parameters that trigger server-side requests. The attacker then probes for internal services by injecting internal IP addresses or localhost references. Common targets include administrative interfaces, internal REST APIs, Redis or Memcached instances, and especially cloud metadata services that expose IAM credentials. Attackers often employ bypass techniques like encoding IPs in decimal format (2130706433 for 127.0.0.1), exploiting URL parser discrepancies between validation and execution layers, or chaining with open redirects to evade basic filters.
Impact
- Access to internal services that should be network-isolated—admin panels, monitoring dashboards, configuration endpoints
- Cloud credential theft via metadata APIs, particularly AWS IAM role credentials exposed at 169.254.169.254
- Reading local files through
file://protocol support, exposing configuration files and source code - Network reconnaissance to map internal infrastructure and identify additional attack targets
- Remote code execution on back-end systems like Redis or Elasticsearch that accept commands over HTTP
- Pivoting deeper into internal networks by using the compromised server as a proxy for further attacks
Real-World Examples
Capital One suffered a massive breach in 2019 when an attacker exploited SSRF in a web application firewall to query AWS metadata services, stealing credentials that granted access to over 100 million customer records. The vulnerability allowed requests to the internal metadata endpoint that should have been unreachable.
Shopify's infrastructure exposed internal Google Cloud metadata in 2020 through an image proxy feature. Security researchers demonstrated they could retrieve service account credentials by tricking the proxy into fetching from the metadata API, potentially compromising the entire GCP environment.
Numerous CVEs in enterprise products highlight SSRF in common features: webhook validators in GitLab, PDF generators that fetch remote images, and document conversion services. These typically manifest when URL validation assumes all requests will target external internet resources, failing to anticipate internal network abuse.
Mitigation
- Allowlist approved destination domains rather than trying to blocklist dangerous ones—only permit necessary external services
- Disable unnecessary URL schemes entirely (file://, gopher://, dict://)—restrict to https:// only where possible
- Network segmentation to prevent application servers from reaching internal infrastructure—use separate VLANs or VPCs
- Deploy cloud metadata protections like AWS IMDSv2 requiring session tokens, making metadata unavailable to simple HTTP requests
- Validate and parse URLs consistently using a single library, then verify resolved IP addresses aren't private ranges
- Remove response bodies from errors to prevent information disclosure in blind SSRF scenarios
Recent CVEs (2860)
Server-Side Request Forgery in Weblate's VCS_RESTRICT_PRIVATE control (versions 5.15 through pre-2026.6) allows bypassing of outbound request restrictions via IPv6 transition address encoding techniques. By supplying a hostname whose DNS AAAA record resolves to a NAT64-wrapped, 6to4-wrapped, or IPv4-compatible IPv6 address that encodes a private IPv4 endpoint, an attacker causes Weblate's validator to pass the address as globally routable while the host kernel routes the packet to the embedded private IPv4 target. The vulnerability carries High confidentiality impact (CVSS 5.9, AV:N/AC:H) because SSRF can expose internal services such as cloud IMDS credential endpoints; no public exploit or CISA KEV listing has been identified at time of analysis.
Server-side request forgery in Splunk Enterprise (below 10.2.4, 10.0.7, 9.4.12, 9.3.13) and Splunk Cloud Platform lets a low-privileged authenticated user coerce the Dashboard Studio PDF export feature into issuing HTTP requests to arbitrary internal destinations. The flaw stems from a flawed prefix-match on trusted domains plus uncritical redirect-following by the PDF export service. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
SSRF and FTP bounce attacks are enabled in Erlang/OTP's ftp_internal module because the PASV handler blindly trusts the IP address returned in a server's 227 response, connecting the data channel to an attacker-controlled internal target without validating it against the control connection's actual peer address. All Erlang applications using the ftp client in its default passive IPv4 mode (ipfamily=inet, ftp_extension=false) across OTP 17.4 through pre-29.0.2 are affected, spanning both the legacy inets-bundled module and the standalone ftp application. No active exploitation has been confirmed (not in CISA KEV), but a functional proof-of-concept demonstrating the redirect attack is publicly embedded in the upstream fix commit, significantly lowering the exploitation barrier.
{version,uptime,status,checks}/<server_ip>` route family passes the Flask URL path parameter directly into a Python `requests.get()` call without any allowlist or blocklist validation, making IPv4 literals such as 169.254.169.254, RFC1918 ranges, and 127.0.0.1 all valid targets. No publicly available patches exist at time of analysis, and no public exploit code or CISA KEV listing has been identified.
Papra's webhook delivery system allows any authenticated organisation member to bypass SSRF protections and cause the server to issue HTTP requests to loopback, link-local, and RFC-1918 addresses by exploiting automatic redirect-following in the ofetch HTTP client. The SSRF blocklist is enforced on registered webhook URLs but never applied to 3xx redirect destinations, meaning an attacker-controlled server can return a 302/307 response pointing to any internal address and Papra's server will follow it. A public proof-of-concept is available and exploitation was confirmed against the official Docker image; no CISA KEV listing is present at time of analysis.
Server-side request forgery in Adobe Campaign Classic (ACC) versions 7.4.3 build 9394 and earlier escalates to arbitrary code execution in the context of the current user, with a maximum CVSS 10.0 reflecting unauthenticated network exploitation and scope change. No public exploit identified at time of analysis, but the vendor advisory APSB26-66 confirms the flaw and the trivial attack complexity (AC:L) combined with PR:N and UI:N makes ACC instances reachable from untrusted networks an urgent patch target. The scope change (S:C) indicates the SSRF pivots beyond the originating component, enabling reach into adjacent backend services typically isolated from external callers.
Privilege escalation via server-side request forgery in Microsoft Exchange Server allows an authenticated attacker with low-level network access to coerce the Exchange server into making attacker-controlled requests, resulting in high impact to confidentiality, integrity, and availability. The flaw is network-exploitable with low complexity (CVSS 8.8) but requires prior authentication, and no public exploit identified at time of analysis. As a Microsoft-discovered issue (reported by secure@microsoft.com), it is consistent with the broader pattern of Exchange SSRF chains used to pivot to elevated mailbox or domain access.
Server-side request forgery in Microsoft Exchange Server allows an authenticated attacker with low privileges to coerce the Exchange server into making arbitrary outbound requests, resulting in disclosure of sensitive information and potential integrity impact across internal network resources. The CVSS 8.1 score reflects the high confidentiality and integrity impact from a network-reachable, low-complexity attack, though no public exploit identified at time of analysis. The vulnerability is tagged as an Authentication Bypass / SSRF, suggesting the SSRF primitive may be leveraged to bypass network-based authentication boundaries (e.g., reaching internal trusted endpoints).
Server-side request forgery in Microsoft Exchange Server enables an authenticated low-privilege attacker to coerce the server into issuing outbound network requests to internal or external resources, resulting in information disclosure. Affected deployments span Exchange Server 2016 CU23, Exchange Server 2019 CU14 and CU15, and the current Subscription Edition - all at versions below their respective patched builds. No public exploit code exists and the vulnerability is not listed in the CISA KEV catalog at time of analysis, but the Changed scope in the CVSS vector indicates the server can reach resources beyond its own trust boundary, amplifying reconnaissance value for an already-authenticated adversary.
Cross-site scripting and server-side request forgery in Microsoft Exchange Server enables authenticated low-privilege network attackers to perform spoofing and exfiltrate sensitive information. Affected are Exchange Server 2016 CU23, 2019 CU14, 2019 CU15, and the Subscription Edition RTM release lines, all below their respective patched cumulative update builds. No public exploit identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog, though Microsoft has released patches across all affected branches.
Server-side request forgery (SSRF) in Spring Framework's UriComponentsBuilder affects applications that use this API to parse and validate externally supplied URL strings. Incorrect host parsing allows a remote, unauthenticated attacker - with user interaction - to cause the application server to issue requests to unintended internal or external destinations, exposing low-level confidentiality and integrity impacts. No public exploit identified at time of analysis and no CISA KEV listing; however, SSRF in widely deployed Java frameworks warrants attention in any internet-facing application that processes user-controlled URLs.
Authenticated arbitrary local file read in Basekick Labs Arc analytics platform allows any token holder - even one with an empty permissions array - to exfiltrate sensitive host files (auth.db bcrypt hashes, arc.toml S3/TLS secrets, /proc/self/environ) and pivot to SSRF against cloud metadata endpoints by abusing unblocked DuckDB I/O functions in the SELECT clause. The flaw stems from an incomplete regex denylist in internal/api/query.go that filtered only read_parquet and arc_partition_agg while leaving the wider DuckDB I/O family (read_csv_auto, read_json, read_text, read_blob, glob, parquet_metadata, read_xlsx, etc.) and SELECT-list scalar table functions unguarded. No public exploit identified at time of analysis, but the GHSA advisory ships a working single-request proof-of-concept and the fix is shipped in Arc 2026.06.1.
Server-side request forgery in FUXA SCADA/HMI server (npm package fuxa-server <= 1.1.14-1243) allows unauthenticated remote attackers to connect to the Socket.IO endpoint and coerce the server to issue arbitrary HTTP(S), OPC UA, or ODBC requests with response bodies echoed back to the caller. No public exploit identified at time of analysis, but the GitHub Security Advisory GHSA-w86f-rf9w-h3x6 provides full handler-level reproduction details and the fix is shipped in release v1.3.2.
Server-side request forgery in jishenghua jshERP up to version 3.6 allows a remote, highly-privileged attacker to manipulate the 'platformValue' argument of the platformConfig Add Endpoint, causing the server to issue forged HTTP requests to internal or external targets. The CVSS 4.0 base score of 2.0 reflects the high privilege requirement (PR:H), but exploitation is simplified by low complexity and no user interaction. A publicly available exploit exists (E:P confirmed in CVSS vector), and the project maintainer has not responded to the responsible disclosure issue filed on GitHub.
Server-side request forgery in perfree go-fastdfs-web versions up to 1.3.7 allows remote unauthenticated attackers to coerce the application into issuing arbitrary outbound HTTP requests via the checkServer function exposed at the /install/checkServer installation endpoint. Publicly available exploit code exists per VulDB, and the vendor did not respond to disclosure, leaving deployments without a confirmed fix. The flaw is reachable network-wide with no authentication and low complexity, raising the practical risk of internal network reconnaissance and cloud metadata abuse.
Server-side request forgery in the shared GraphQL service of Altium Enterprise Server (prior to 8.1.1) and Altium 365 allows authenticated users to coerce the server into issuing arbitrary outbound HTTP GET requests and receiving the response body. The flaw enables reconnaissance of internal services and cloud metadata endpoints not reachable from the public network. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Server-Side Request Forgery in Sync-in Server versions 2.2.1 and earlier allows authenticated low-privileged users to bypass the private-IP blocklist by supplying URLs that resolve to IPv4-mapped IPv6 addresses (::ffff:127.0.0.1, ::ffff:10.x.x.x). The URL download feature's regExpPrivateIP regex fails to recognize the dual-stack representation, letting the server fetch internal resources it should refuse. No public exploit identified at time of analysis beyond the reporter's PoC; the issue is not listed in CISA KEV.
Server-Side Request Forgery in NocoDB (npm/nocodb, versions up to and including 2026.05.0) allows authenticated users with connection-test permission to direct the NocoDB server process to open raw TCP sockets to attacker-specified internal destinations, including Redis instances, cloud metadata endpoints (e.g., AWS IMDSv1 at 169.254.169.254), and internal databases. The vulnerable connection-test endpoint accepted user-supplied database hostnames without DNS resolution or address-range validation, effectively making NocoDB an unauthenticated SSRF proxy to the internal network from the server's vantage point. No public exploit has been identified at time of analysis; a vendor-released patch exists in version 2026.05.1.
Server-side request forgery in linqi's custom process creation feature allows authenticated attackers to conduct internal network reconnaissance by forcing the server to issue arbitrary outbound HTTP requests. Affected product is linqi by linqi GmbH (all versions per CPE cpe:2.3:a:linqi_gmbh:linqi:*). By embedding a crafted HTTP Request component inside a custom workflow process, the attacker can enumerate internal hosts and open ports through differential response analysis (Success, Failed, or 504 Gateway Time-out). No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Server-Side Request Forgery in the Essential Blocks WordPress plugin (versions through 6.1.3) allows authenticated users with Author-level access or higher to coerce the WordPress server into making arbitrary outbound HTTP requests via the save_ai_generated_image() function. The flaw enables attackers to probe internal network services, read responses from internal endpoints, and potentially modify state on services that trust requests from the WordPress host. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Server-side request forgery in Shopware's media subsystem allows authenticated admin users to make arbitrary HTTP HEAD requests to internal network addresses and cloud metadata endpoints via the `/api/_action/media/external-link` endpoint. The root cause is an inconsistency between two URL-handling flows in `MediaUploadService`: the `uploadFromURL` flow correctly validates resolved IPs against private/reserved ranges, while the `linkURL` flow only checks that the URL begins with `http://` or `https://`. Exploiting this, an admin can probe cloud metadata services, enumerate internal ports, and leak `content-length` values from internal services; no public exploit has been identified at time of analysis, and a vendor-released patch exists in version 6.7.10.1.
Unauthenticated server-side request forgery in Tautulli versions prior to 2.17.1 allows remote attackers to coerce the Tautulli or Plex Media Server host into fetching arbitrary attacker-chosen URLs via the public `/image/<hash>` route. A low-privilege guest first seeds a malicious external URL into the `image_hash_lookup` table, after which any unauthenticated external user can trigger the SSRF by requesting the resulting hash. No public exploit identified at time of analysis, but the GitHub Security Advisory GHSA-m6j6-rc2c-8vpm and a vendor patch in v2.17.1 confirm the issue.
Server-side request forgery in crmeb_java 1.4 allows remote unauthenticated attackers to manipulate the base64 Qrcode endpoint's url parameter, causing the server to issue arbitrary outbound HTTP requests via Spring's RestTemplate.getForEntity. The affected component (RestTemplateUtil.java) passes attacker-controlled input directly to the HTTP client without URL validation or allowlisting, enabling internal network reconnaissance, cloud metadata service probing, and potential lateral movement. A public exploit has been disclosed via GitHub issue #35; no vendor patch exists as the project has not responded to the responsible disclosure report.
Server-Side Request Forgery and path traversal in docling-core versions 1.5.0 through 2.74.0 allow remote attackers to coerce the library into writing files outside the user-defined cache directory by manipulating server-controlled Content-Disposition headers when applications fetch untrusted URLs. The flaw stems from insufficient validation of remote request destinations combined with unsafe resolution of server-supplied filenames. No public exploit identified at time of analysis, but the network-reachable, unauthenticated nature of the bug (CVSS 8.6) makes it a meaningful supply-chain concern for Python applications integrating docling-core for document processing.
Path traversal and SSRF in Docling's HTML backend allow attackers to coerce the document processor into reading local files, contacting internal network resources, and consuming unbounded resources when a crafted HTML document is processed with non-default fetch flags enabled. The flaw affects the docling Python package prior to 2.94.0 and stems from missing validation of file:// URIs, relative/absolute paths, HTTP redirects, and download sizes; no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
XML External Entity (XXE) injection in Docling's USPTO patent backend allows remote attackers to trigger denial of service, read arbitrary server files, or perform SSRF by submitting crafted patent XML to vulnerable versions (>=2.13.0, <2.74.0). The flaw stems from use of Python's unsafe xml.sax.parseString() across the ICE v4.x, Grant v2.5, and Application v1.x parsers. No public exploit identified at time of analysis, but the fix is publicly documented in the vendor advisory and a working patched release is available.
Server-side request forgery and potential remote code execution in Docling versions 2.82.0 through 2.90.x affect deployments that explicitly enable the Playwright-based HTML rendering backend. When `render_page=True` is set, untrusted HTML documents can execute arbitrary JavaScript in the rendering browser context and reach internal network services, enabling SSRF, data exfiltration, or code execution in the rendering environment. No public exploit identified at time of analysis, and the issue is not in CISA KEV, but a vendor-confirmed fix exists in 2.91.0.
Server-side request forgery in Cisco Unified Communications Manager (Unified CM) and Unified CM Session Management Edition allows remote unauthenticated attackers to write files to the underlying operating system via crafted HTTP requests, which Cisco notes can be leveraged to escalate to root. Cisco has assigned this a Critical Security Impact Rating despite the 8.6 CVSS score because of the root-escalation pathway. No public exploit identified at time of analysis, and exploitation requires the non-default WebDialer service to be enabled.
Server-Side Request Forgery in wonderwhy-er DesktopCommanderMCP 0.2.37 allows low-privileged remote MCP clients to coerce the server into fetching arbitrary internal URLs via the `url` argument of the `readFileFromUrl` function in `src/tools/filesystem.ts`. The unpatched server performs no origin validation and follows HTTP redirects automatically, enabling attackers to reach RFC 1918 private networks and cloud instance metadata services (AWS/GCP/Azure at 169.254.169.254) from the server's network context. Publicly available exploit code exists (CVSS 4.0 E:P), though no CISA KEV listing is present at time of analysis.
Server-side request forgery in blender-mcp's ZIP File Handler allows authenticated remote attackers to manipulate the zip_file_url parameter in import_generated_asset_hunyuan, causing the MCP server to issue arbitrary outbound HTTP requests on behalf of the attacker - including to internal network resources such as cloud metadata endpoints. All rolling-release commits up to 7636d13bded82eca58eb93c3f4cd8708dfdfbe8b are affected, per CPE cpe:2.3:a:ahujasid:blender-mcp:*:*:*:*:*:*:*:*. A publicly available exploit exists via GitHub issue #203 (E:P confirmed in CVSS temporal vector), though no CISA KEV listing exists at time of analysis.
Server-side request forgery in Medplum versions prior to 5.1.14 lets authenticated users abuse the FHIR Subscription worker to make the server issue HTTP POST requests to arbitrary internal endpoints. Because the worker delivers full FHIR resource payloads to attacker-chosen URLs, attackers can target cloud instance metadata services (e.g., AWS IMDS), internal databases, and orchestrator APIs to steal IAM credentials and exfiltrate patient health records. No public exploit identified at time of analysis, but a vendor patch and a VulnCheck advisory are available.
D.Launcher 2, a component of the Slovak eID client ecosystem by Ditec a.s., exposes Windows users to NTLM credential theft and SSRF attacks via improperly handled custom URL protocol registrations. An unauthenticated remote attacker who convinces a victim to open a specially crafted URL can trigger outbound NTLM authentication or SMB connections to attacker-controlled infrastructure, leaking Net-NTLMv2 hashes suitable for offline cracking or relay attacks. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Server-side request forgery in nextlevelbuilder GoClaw through version 3.11.3 allows remote attackers with high-privilege credentials to manipulate the TTS Configuration Import function into issuing arbitrary server-side HTTP requests to unintended destinations. The vulnerable code path is the Import function within internal/http/tts_config.go, reachable over the network without user interaction once an administrative session is established. A publicly available proof-of-concept exploit exists (confirmed by CVSS temporal metric E:P and GitHub issue #1132); no active exploitation has been confirmed by CISA KEV, and the project has characterized the report as a bug rather than a security issue, which may signal a slower remediation response.
Server-side request forgery in DedeCMS 5.7.88 allows low-privileged authenticated remote attackers to make the server issue arbitrary HTTP requests by manipulating the base64-decoded Link argument in /plus/download.php?open=1. Exploitation enables internal network probing, potential access to cloud metadata endpoints (e.g., AWS IMDSv1), and limited confidentiality, integrity, and availability impact (C:L/I:L/A:L per CVSS). Publicly available exploit code exists (CVSS temporal E:P; description confirms exploit publication), though no confirmed active exploitation or CISA KEV listing has been identified at time of analysis.
Server-side request forgery in Nanobot (HKUDS) prior to 0.2.1 lets unauthenticated remote attackers exfiltrate Microsoft Bot Framework bearer tokens by poisoning the stored Teams conversation reference with an attacker-controlled serviceUrl. VulnCheck reported the issue and HKUDS shipped a fix in v0.2.1 (commit 232df45), but at time of analysis there is no public exploit identified and the CVE is not on CISA KEV. CVSS 4.0 of 7.0 reflects low vulnerable-system impact but High confidentiality/integrity impact on subsequent (downstream) systems - namely the Bot Framework tenant whose tokens are leaked.
Server-side request forgery in SourceCodester SEO Meta Tag Extractor 1.0 allows remote unauthenticated attackers to coerce the application into making arbitrary outbound HTTP requests by manipulating the 'url' parameter passed to the get_headers() function in /index.php. Publicly available exploit code exists per VulDB, increasing the likelihood of opportunistic abuse against exposed instances, though no active exploitation has been confirmed via CISA KEV.
Server-side request forgery in Nanobot's web_fetch tool prior to v0.2.1 allows authenticated remote attackers to probe and reach internal or private network hosts by exploiting the httpx library's automatic HTTP redirect-following behavior. The attack bypasses initial URL validation by supplying a legitimate-looking external URL that responds with a 3xx redirect to a loopback or RFC-1918 address - the outbound request to the internal host is dispatched before any post-redirect validation is applied. No public exploit code exists and no CISA KEV listing is present, but the Changed Scope (S:C) in the CVSS vector indicates that successful exploitation can affect network components beyond Nanobot itself, such as internal APIs or metadata services.
Server-side request forgery in horizon921 mcpilot 0.1.0 allows unauthenticated remote attackers to force the server to issue arbitrary HTTP requests by supplying a malicious value to the `serverBaseUrl` parameter in the MCP API Call Endpoint (`client/src/app/api/mcp/call/route.ts`). The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms the attack requires no authentication and no user interaction, making it trivially reachable from the network. A public exploit exists (E:P), no vendor patch has been released, and the project maintainer has not yet responded to the responsible disclosure.
Server-side request forgery (SSRF) in hekmon8/Jenkins-server-mcp 0.1.0 allows a remote, low-privileged attacker to forge outbound HTTP requests from the server by manipulating the jobPath parameter across the get_build_status, get_build_log, and trigger_build functions in src/index.ts. The flaw stems from absent or insufficient validation of user-supplied job path values before they are used to construct server-side requests to Jenkins. Publicly available exploit code exists (disclosed via GitHub issue #4); no vendor patch has been released and the maintainer has not responded to the disclosure.
Server-side request forgery in indrasishbanerjee aem-mcp-server allows authenticated remote attackers with low privileges to manipulate the assetPath argument of the getAssetMetadata function, causing the server's Axios HTTP client to issue arbitrary outbound requests. All code up to commit b5f833aef9b5dfd17a5991b3b18a8a11edbdc583 is affected; the project uses no versioning scheme, making version-based scoping impossible. Publicly available exploit code exists (GitHub issue #3), though the vulnerability is not listed in CISA KEV and carries a CVSS 4.0 base score of only 2.1 due to limited impact scope and an authentication prerequisite.
Server-Side Request Forgery in Apache Fesod (Incubating) fesod-sheet before 2.0.2-incubating allows unauthenticated remote attackers to trigger outbound HTTP requests from the server to internal or restricted network resources by supplying a crafted image URL to the UrlImageConverter component. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms exploitation requires no authentication and no user interaction, making this trivially reachable against any exposed instance. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.
Server-Side Request Forgery in Clair's fetcher component exposes internal network services and cloud metadata endpoints to unauthenticated remote attackers who can submit container image manifests with crafted layer descriptor URIs. Affected deployments are those where PSK (Pre-Shared Key) authentication is not configured - an opt-in control that is not enforced by default - meaning standalone or custom Clair installations without PSK are directly exploitable over the network with no credentials. Reflective SSRF behavior leaks up to 256 bytes of internal error body content per request via CheckResponse error messages, enabling network reconnaissance; no public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV.
Server-side request forgery in JeecgBoot versions up to 3.9.1 allows authenticated remote attackers to manipulate the `FileDownloadUtils.download2DiskFromNet` function via the `/airag/app/debug` endpoint, coercing the server into issuing arbitrary HTTP requests - including to cloud instance metadata services that may expose cloud credentials. Publicly available exploit code exists (confirmed by CVSS 4.0 E:P modifier and CVE description), though no active exploitation is confirmed by CISA KEV. The CVSS 4.0 score of 2.1 reflects constrained scope and the low-privilege authentication requirement, but defenders on cloud infrastructure using IMDSv1 should treat the real-world impact as potentially higher than the score suggests.
Server-side request forgery in JeecgBoot up to 3.9.2 allows low-privileged remote attackers to make the application server issue arbitrary outbound HTTP requests via the unvalidated `baseUrl` parameter in the `/airag/airagModel/test` endpoint. Publicly available exploit code exists (E:P in CVSS 4.0 vector), though no active exploitation has been confirmed by CISA KEV. Impact is rated low across confidentiality, integrity, and availability (VC:L/VI:L/VA:L), but SSRF primitives in low-code platforms can enable internal network reconnaissance and lateral movement against services inaccessible from the internet. No vendor-released patch has been issued at time of analysis - a fix is planned for an upcoming release.
Server-side request forgery in JeecgBoot up to version 3.9.2 allows remote authenticated attackers to induce the server to issue arbitrary outbound HTTP requests via the WordUtil.addImage function at the /airag/word/edit endpoint. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N) confirms network-accessible, low-complexity exploitation requiring only low-privilege credentials with no user interaction needed. Publicly available exploit code exists (E:P in CVSS vector; publicly disclosed per description), and no vendor-released patch has been issued at time of analysis - only a fix planned for an upcoming release.
Server-side request forgery in Aider-AI Aider 0.86.3 allows authenticated remote attackers to make the application issue arbitrary HTTP requests to internal network resources, including cloud infrastructure metadata endpoints such as the AWS EC2 instance metadata service at 169.254.169.254. The URL scraping component accepts user-supplied URLs without validating whether the destination resolves to private RFC1918 or link-local address space, enabling an attacker to proxy requests through the Aider host. No public exploit identified at time of analysis meets KEV criteria, but publicly available exploit code exists via GitHub issue #5075, and the upstream fix (PR #5137) awaits formal acceptance into a release.
Local SSRF in PraisonAI's direct-prompt CLI allows an attacker who can influence prompt text to cause the operator's machine to fetch loopback and private-network HTTP resources, injecting the response body into the LLM prompt context. Affected packages are pip/praisonai <= 4.6.39 and pip/praisonaiagents <= 1.6.39; patches are available in 4.6.40 and 1.6.40 respectively. Publicly available exploit code exists (confirmed working PoC in the GHSA advisory), no public exploit identified at time of analysis as confirmed actively exploited (CISA KEV listing absent), and the CVSS 5.5 score reflects a meaningful confidentiality impact (C:H) constrained by a local attack vector.
SSRF protection bypass in PraisonAI's spider_tools component (praisonaiagents <= 1.6.39, PraisonAI <= 4.6.39) allows an attacker who can influence URLs submitted to scrape_page(), crawl(), or extract_text() to reach loopback-only HTTP services by supplying alternate loopback address encodings such as octal IPv4, hex, decimal integer, or trailing-dot hostname forms. The _validate_url() function performs only exact-string blocklist checks against 'localhost' and '127.0.0.1', without DNS resolution, IP normalization, or post-connect address validation, causing the bypass. Publicly available exploit code (PoC) has been confirmed functional; no active exploitation via CISA KEV has been identified at time of analysis.
Blind SSRF in Nezha Dashboard (v0.20.0-v2.0.9) allows any low-privileged authenticated user to force the dashboard process to issue arbitrary HTTP requests to loopback and internal network addresses by configuring a malicious DDNS webhook profile. The attacker fully controls the request method, URL, headers, and body, enabling probing or manipulation of internal services that trust the dashboard host's network position. A publicly available proof-of-concept confirms full pipeline exploitation against a loopback listener; no public exploit identified at time of analysis in CISA KEV.
Server-side request forgery in CC-Tweaked (a Minecraft mod providing in-game programmable computers via Lua) allows any player able to run Lua code to bypass the mod's HTTP private-network filter by addressing internal IPv4 services through NAT64 well-known prefix addresses (64:ff9b::/96). On cloud-hosted Minecraft servers using IPv6-only subnets with NAT64 routing (the default outbound-IPv4 path on AWS and GCP), this exposes other VPC instances, internal databases, and cloud metadata/management APIs. Publicly available exploit code exists via the GitHub Security Advisory PoC; no public exploit identified at time of analysis as being used in the wild and the issue is not listed in CISA KEV.
Server-side request forgery in Koel (composer/phanan/koel <= 9.3.4) allows authenticated low-privilege users to coerce the server into fetching arbitrary internal URLs and stream the full response back to the attacker. The flaw stems from podcast episode enclosure URLs being persisted unvalidated despite SafeUrl checks being applied to the parent feed URL; no public exploit identified at time of analysis, but a detailed working PoC is published in the GHSA advisory.
Server-Side Request Forgery in Labring FastGPT prior to 4.15.0-beta1 lets an authenticated attacker bypass the platform's isInternalAddress network protection and pivot HTTP GET probes into internal services via the dataset preview endpoint. The flaw stems from an incomplete prior fix in the externalFile data import path, scoped-changed impact (S:C) elevates risk to adjacent systems, and no public exploit identified at time of analysis.
Server-side request forgery in Spatie Laravel Medialibrary before 11.23.0 allows authenticated remote attackers to coerce the application server into issuing arbitrary outbound HTTP requests by supplying user-controlled URLs to the addMediaFromUrl() method in InteractsWithMedia.php. The flaw is reachable in any Laravel application that exposes addMediaFromUrl() to end-user input, and no public exploit identified at time of analysis, though the upstream patch and a VulnCheck advisory provide enough detail for trivial reproduction. With a CVSS of 7.4 and Scope:Changed, exploitation can pivot to internal services, cloud metadata endpoints, or other backend systems beyond the immediate Laravel host.
Server-side request forgery in JetBrains TeamCity versions prior to 2026.1 and 2025.11.5 allows remote unauthenticated attackers to coerce the build server into issuing arbitrary outbound HTTP requests through the build status functionality. The CVSS 7.5 score (C:H/I:N/A:N) reflects high-impact disclosure of internal data without integrity or availability effects, and no public exploit is identified at time of analysis.
Sandbox network isolation bypass in vm2 NodeVM (versions <= 3.11.3) allows untrusted JavaScript running in the sandbox to regain outbound and listening network access despite explicit exclusions of public network modules. Remote attackers (in the threat model where the application accepts untrusted code) can leverage Node.js's undocumented underscored builtins such as `_http_client` and `_http_server` to reach internal services, cloud metadata endpoints, and localhost-only admin panels. Publicly available exploit code exists (PoC published in the GHSA advisory), and a vendor-released patch is available in version 3.11.4.
SSRF deny-list bypass in Gotenberg v8 (<= 8.32.0) allows unauthenticated remote attackers to reach internal cloud metadata services (e.g., AWS/GCP/Azure IMDS at 169.254.169.254) by serving a crafted DNS AAAA record containing IPv6 6to4, NAT64, or deprecated site-local prefixes that the IsPublicIP allow-list fails to recognize. Publicly available exploit code exists via the GitHub Security Advisory PoC, and the Chromium URL-convert route returns the upstream response as a PDF, yielding a full-read SSRF that can leak IAM credentials. No vendor-released patch identified at time of analysis (advisory lists no fixed version).
Server-side request forgery in MoviePilot v2's image proxy endpoint (/api/v1/system/img-proxy) allows authenticated attackers holding a valid resource_token cookie to coerce the server into fetching arbitrary internal URLs. The flaw stems from SecurityUtils.is_safe_url performing domain-membership checks without blocking private, loopback, or link-local IPs, letting attackers enumerate co-hosted media services such as Jellyfin, Emby, and Plex and exfiltrate internal data. No public exploit identified at time of analysis, though the upstream patch and vendor-published advisory clearly document the attack path.
SSRF policy bypass in OpenClaw before 2026.4.29 enables authenticated low-privileged attackers to circumvent private-network SSRF protections via browser debug and export routes. The flaw (CWE-863, Incorrect Authorization) allows an attacker who already holds valid credentials to reuse previously blocked browser tabs, causing the application to export or inspect content from protected internal resources that the SSRF policy was intended to restrict. No public exploit has been identified and this vulnerability is not listed in the CISA KEV catalog at time of analysis, though the high confidentiality impact on the vulnerable component (VC:H in CVSS 4.0) warrants prompt patching for internet-exposed instances.
Server-side request forgery in Shibby Tomato 1.28 allows unauthenticated remote attackers to force the router to issue arbitrary HTTP requests via a crafted UPnP SUBSCRIBE callback URL processed by the miniupnpd daemon's send() function. The affected firmware is end-of-life with no vendor patch forthcoming; the project has been superseded by FreshTomato. No public exploit code or CISA KEV listing has been identified at time of analysis, but the CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms the attack is remotely exploitable without authentication or special conditions on reachable devices.
Man-in-the-middle interception in the Axios HTTP client library (all versions through 1.15.x) allows any prototype pollution elsewhere in the Node.js dependency tree to be escalated into full traffic hijacking. Because `config.proxy` is not defined in Axios defaults, `lib/adapters/http.js` reads it via prototype-chain traversal - letting an attacker who controls `Object.prototype.proxy` silently route every outbound HTTPS/HTTP request through their server, harvesting Authorization headers, cookies, and request bodies while tampering with responses. Publicly available exploit code exists in the disclosure; no public exploit identified at time of analysis in the wild and not on CISA KEV.
Server-Side Request Forgery in axios versions <1.16.0 and <=0.31.1 allows remote attackers who control a request URL to bypass NO_PROXY allowlists by using IPv4-mapped IPv6 notation (e.g., ::ffff:7f00:1 for 127.0.0.1, or ::ffff:a9fe:a9fe for the 169.254.169.254 cloud metadata endpoint). The flaw is an incomplete fix for CVE-2025-62718: shouldBypassProxy normalizes brackets and trailing dots but never canonicalises the ::ffff: prefix, so loopback and metadata exclusions silently fail and traffic is routed through an attacker-controlled HTTP/HTTPS proxy. Publicly available exploit code exists (full PoC in the GHSA advisory); no public exploit identified at time of analysis as actively exploited and the CVE is not in CISA KEV.
Server-side request forgery in Red Hat OpenShift Container Platform 4's Router component allows authenticated users with EndpointSlice write permissions to coerce the router into proxying requests to cloud provider instance metadata endpoints (e.g., 169.254.169.254), exposing instance credentials and sensitive metadata. The flaw bypasses prior IP-address-based validation by abusing FQDN-backed EndpointSlices that resolve to metadata services. No public exploit identified at time of analysis, and the issue is not present on CISA KEV.
Server-Side Request Forgery in Mautic's Focus component enables authenticated low-privileged users to coerce the hosting server into issuing arbitrary outbound HTTP requests to internal or external destinations. The CVSS scope change (S:C) confirms the vulnerability crosses the application boundary, making internal network reconnaissance viable from a standard marketing platform user account. No public exploit code exists and the vulnerability is not listed in the CISA KEV catalog at time of analysis, but the authenticated-yet-low-privilege requirement and changed scope make this a meaningful lateral movement enabler in enterprise Mautic deployments.
Server-Side Request Forgery (SSRF) in Red Hat Quay 3's config-tool allows a highly privileged attacker with config editor access to probe internal network infrastructure from the Quay pod's network position. By supplying attacker-controlled endpoints to the LDAP and SMTP validation functions - which make outbound connections without IP or hostname filtering - the attacker can enumerate internal services and map network topology behind the container boundary. The scope change (S:C) in the CVSS vector confirms that exploitation reaches systems beyond the Quay component itself. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.
Symfony's polyfill-intl-idn library (versions 1.17.1–1.38.0) silently accepts malformed Punycode ACE labels — specifically `xn--` prefixed labels whose decoded payload is empty or contains only ASCII characters — which native PHP ext-intl correctly rejects. This divergence allows attackers to craft domain names such as `poc.xn--kc1zs4-.com` that the polyfill normalizes to `poc.kc1zs4.com`, causing hostname blacklist bypasses and inconsistent URL parsing in applications that rely on the polyfill for canonicalization or security-sensitive hostname comparisons. The flaw directly enables server-side request forgery (SSRF) in affected deployments, mirrors the pattern established by CVE-2024-12224, and no public exploit has been identified at time of analysis beyond the proof-of-concept inputs included in the vendor advisory.
Server-Side Request Forgery in Kibana allows an authenticated user holding connector management privileges to bypass the operator-configured connector allowlist, forcing the Kibana server to issue outbound HTTP requests to destinations that egress controls were explicitly designed to block. The CVSS Changed Scope (S:C) combined with high confidentiality impact (C:H) means successful exploitation extends beyond Kibana itself, potentially exposing sensitive internal network resources such as cloud metadata services or internal APIs reachable from the Kibana host. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog at time of analysis.
Server-side request forgery in Elastic Kibana allows authenticated users holding connector management privileges to bypass operator-configured egress allowlists by crafting a Webhook connector with an arbitrary target. The flaw enables Kibana to issue outbound HTTP requests to internal or otherwise restricted destinations, exposing sensitive data accessible from the Kibana host. No public exploit identified at time of analysis, and the vulnerability is not present on the CISA KEV list.
Server-side request forgery in Music Player Daemon (MPD) before 0.24.11 allows unauthenticated remote attackers to bypass HTTP/HTTPS scheme restrictions by exploiting the CurlInputPlugin's failure to set CURLOPT_REDIR_PROTOCOLS_STR alongside CURLOPT_FOLLOWLOCATION in libcurl. An attacker who can submit URLs to MPD via commands such as add, readcomments, albumart, readpicture, or load can cause MPD to follow redirects to non-HTTP protocols including gopher, ftp, sftp, ldap, dict, rtmp, and rtsp - enabling interaction with internal or restricted network services. No public exploit has been identified at time of analysis and this vulnerability is not listed in CISA KEV, though the CVSS 4.0 score of 6.9 with a fully unauthenticated network attack vector warrants prompt patching on any externally accessible MPD deployment.
Server-Side Request Forgery in compliance-trestle's HTTPSFetcher._do_fetch() allows a local low-privileged attacker to redirect outbound HTTP requests to internal services or cloud metadata endpoints such as 169.254.169.254 - enabling credential theft from AWS, GCP, or Azure instance metadata. Affected are all pip releases of compliance-trestle before 3.12.2 and versions 4.0.0 through 4.0.2. A public proof-of-concept (poc_ssrf_and_path_traversal.py) with 13 verified exploit vectors is attached to the GitHub Security Advisory GHSA-w76h-q7c6-jpjp; no public exploit identified at time of analysis as confirmed active exploitation (CISA KEV) and no EPSS score was provided in the input data.
SSRF protection in Local Deep Research prior to version 1.6.10 can be bypassed by authenticated users through a URL parser differential between Python's urlparse and the requests/urllib3 library. By supplying a crafted URL such as http://127.0.0.1:6666\@1.1.1.1, an attacker causes urlparse to extract the public host 1.1.1.1 (passing the SSRF check) while requests actually connects to the internal address 127.0.0.1. No public exploitation has been confirmed in CISA KEV at time of analysis, but a working proof-of-concept was included in the GHSA advisory. The CVSS 5.0 score reflects the authentication barrier (PR:L) and limited confidentiality impact (C:L), though the changed scope (S:C) signals the server itself is used to pivot to otherwise-unreachable internal resources.
PyJWKClient in PyJWT prior to 2.13.0 passes attacker-influenced URIs directly to Python's urllib.request.urlopen() without restricting URI schemes, enabling Server-Side Request Forgery (SSRF) across file://, FTP, and data-URI schemes against applications that accept untrusted jku values. Affected deployments include any Python application using PyJWKClient where the jku URL originates from a JWT header, OAuth flow parameter, or externally influenced configuration. No public exploit exists and no CISA KEV listing is present; real-world exploitation is constrained by a CVSS-confirmed high attack complexity (AC:H) and required user interaction (UI:R), making opportunistic mass exploitation unlikely.
Server-side request forgery in FlowIntel up to version 3.3.0 allows a low-privileged authenticated user to coerce the application server into issuing HTTP HEAD requests to attacker-specified destinations-including loopback addresses, RFC 1918 private ranges, link-local cloud metadata endpoints, and other restricted network resources-via the external reference URL probe feature in app/case/task.py. The root cause is absent URL scheme filtering and missing resolved-IP validation before the outbound request is dispatched. No public exploit has been identified at time of analysis and the CVE is not listed in CISA KEV, though the upstream fix commit confirms the flaw's existence and scope.
Server-Side Request Forgery in Independent Analytics (WordPress plugin, all versions through 2.14.9) enables unauthenticated remote attackers to inject arbitrary referrer domains into the site's analytics database and subsequently trigger server-side HTTP requests to any host - including internal network services and cloud metadata endpoints. The exploit chain combines a bypassable signature check on the public /wp-json/iawp/search REST endpoint (static salt embedded in publicly-accessible JavaScript) with a scheduled favicon fetcher that issues raw cURL requests with zero SSRF mitigations. No public exploit is identified at time of analysis and the vulnerability is not listed in CISA KEV, but CVSS PR:N/AC:L indicates exploitation requires no authentication and minimal complexity, particularly threatening for WordPress deployments on cloud infrastructure.
Local privilege escalation in presire qSnapper before 1.3.3 lets a low-privileged user bypass Polkit authentication in the privileged D-Bus service by exploiting a PID-reuse race in the UnixProcessSubject authorization check. A successful race grants the attacker the authority of a privileged process, exposing high-impact root-level operations (snapshot/file restore) on the host. EPSS is low (0.13%, 3rd percentile) and no public exploit is identified; the issue was found in a coordinated SUSE security review and fixed in v1.3.3.
Authentication bypass in qSnapper's privileged D-Bus service (versions before 1.3.3) allows any local unprivileged user to invoke administrative snapshot operations by piggy-backing on another client's prior Polkit authentication. The service stored authentication state in a single shared m_authenticated flag rather than per-client, so once any caller passed an admin check, all subsequent D-Bus callers inherited that state. No public exploit identified at time of analysis; the issue was found during a SUSE-coordinated security review and patched in v1.3.3.
Server-side request forgery in Budibase before 3.39.0 lets a builder-level user coerce the server into sending POST requests to arbitrary internal or external destinations. The flaw lives in the OAuth2 SDK's fetchToken function, which issues outbound requests via plain node-fetch and bypasses the blacklist.isBlacklisted guard that every other outbound path enforces, while the Joi validation on the OAuth2 token URL imposes no scheme or host restriction. No public exploit identified at time of analysis, and the issue is fixed in 3.39.0.
Server-Side Request Forgery in Budibase's VectorDB configuration endpoint (versions prior to 3.35.3) allows authenticated builder-level users to supply arbitrary host values - including cloud metadata addresses such as 169.254.169.254 or localhost - causing the server to initiate outbound TCP connections to internal network resources on the attacker's behalf. No public exploit has been identified at time of analysis, though SSVC classifies exploitation status as 'poc', indicating proof-of-concept material exists. In cloud-hosted deployments, the real-world impact exceeds what the CVSS 5.3 score implies, as metadata endpoint access can expose instance credentials and enable privilege escalation.
Server-side request forgery in Budibase before 3.39.0 lets an authenticated user with the BUILDER role coerce the platform into making attacker-controlled outbound requests by setting a malicious OAuth2 token endpoint URL. Because the token fetch path bypassed the codebase's existing SSRF-blocking HTTP wrapper, responses from internal-only services such as the CouchDB database or cloud instance metadata endpoints can be exfiltrated. No public exploit identified at time of analysis, but the flaw is straightforward to trigger and EPSS/KEV signals were not supplied.
Server-side request forgery in Budibase's automation engine (versions prior to 3.39.0) allows high-privileged authenticated users to redirect outbound HTTP requests from the Budibase server to attacker-controlled internal destinations by supplying an unvalidated queryId in the executeQuery automation step. When paired with a REST datasource pointed at internal infrastructure, automation execution causes the server to fetch arbitrary internal URLs and return their responses to the caller, potentially leaking sensitive internal service data. A proof-of-concept exists per SSVC assessment; no confirmed active exploitation or CISA KEV listing at time of analysis.
Server-Side Request Forgery in Jenkins Active Directory Plugin 2.41 and earlier enables a highly privileged attacker to abuse the plugin's default LDAP referral-following behavior to force Jenkins to issue out-of-band requests to attacker-controlled or internal network hosts. The vulnerability (CWE-918) stems from the plugin not restricting LDAP referrals by default, which can be weaponized to pivot from the Jenkins server into internal infrastructure. No public exploit code exists and SSVC confirms no known active exploitation, but the technical impact is rated total - confidentiality, integrity, and availability are all at risk if exploitation succeeds.
Unconstrained LDAP referral following in Jenkins LDAP Plugin (≤ 807.v7d7de30930cf) enables Server-Side Request Forgery, allowing a highly privileged attacker who controls LDAP configuration to force the Jenkins server to initiate connections to arbitrary internal hosts by supplying a malicious LDAP server that returns crafted referrals. The CVSS score of 6.6 reflects genuine constraints: network-reachable but requiring both high privileges and high attack complexity, with High confidentiality, integrity, and availability impact if those barriers are cleared. SSVC assessment confirms no current exploitation and a non-automatable attack path, though technical impact is rated total; no public exploit code has been identified at time of analysis.
Server-side request forgery in GitHub Enterprise Server lets an unauthenticated attacker coerce the appliance into issuing crafted requests to internal services, reachable through an upload endpoint that fails to validate input. By injecting path-traversal content into request parameters, an attacker can redirect internal API calls to reach back-end services and harvest sensitive credentials. No public exploit identified at time of analysis; the issue was reported through the GitHub Bug Bounty program and carries a CVSS 4.0 base score of 9.2 (Critical), though the vector flags high attack complexity and an extra attack requirement that temper real-world ease of exploitation.
Server-Side Request Forgery in GitHub Enterprise Server lets an attacker coerce the appliance into issuing HTTP requests to internal services through the security advisories package-lookup feature, then use response-timing differences as an oracle to infer sensitive environment variables such as signing secrets and private keys. All versions prior to 3.21.1 are affected, and exploitation is unauthenticated on instances not running in private mode (GitHub Packages must be enabled), or available to any authenticated user otherwise. No public exploit identified at time of analysis; the issue was reported through the GitHub Bug Bounty program and carries a CVSS 4.0 base score of 7.0.
Authenticated SSRF bypass in MaxKB's OSS file service URL fetch allows low-privilege users to reach internal network services by exploiting inconsistent DNS resolution between validation and request execution. MaxKB 2.8.0 and all prior versions are affected; the attacker causes the validation step to resolve a domain to a public IP, then swaps the DNS record so the actual HTTP fetch resolves to an internal address, bypassing the SSRF filter entirely. No public exploit has been identified and this CVE is not listed in CISA KEV; a vendor-released patch (2.8.1) is available.
Server-Side Request Forgery in MaxKB before 2.9.1 allows authenticated users to pivot into internal network infrastructure by supplying arbitrary URLs to the work_flow_template import endpoint. The server fetches attacker-controlled URLs without validation or internal IP filtering, enabling reconnaissance of internal services, cloud metadata endpoints, or other resources unreachable from the public internet. The CVSS 4.0 score of 6.3 is driven primarily by high subsequent-system confidentiality impact (SC:H), reflecting the lateral reach into backend infrastructure that SSRF typically enables. No public exploit code or active exploitation has been identified at time of analysis.
Server-side request forgery in MaxKB v2.8.0 and earlier allows authenticated low-privilege users to reach internal network services by exploiting an URL parsing inconsistency at the OSS file fetch endpoint. The discrepancy between Python's urlparse validation logic and the requests HTTP client means a crafted URL can pass security checks yet still route to internal infrastructure when executed by the server. No public exploit or KEV listing exists at time of analysis; the vendor has confirmed and patched the issue in 2.8.1.
Server-side request forgery in Weblate's Create Component feature allows authenticated users with component creation rights to make the Weblate server issue HTTP requests to arbitrary internal endpoints, including cloud metadata services, by supplying a crafted repository URL when the Mercurial VCS backend is selected. The Mercurial backend uniquely surfaces the full HTTP response body to the requesting user, enabling enumeration of internal services; file:// scheme requests additionally allow filesystem layout inference via error-message oracle behavior. No active exploitation has been confirmed (not in CISA KEV), but cloud-hosted deployments face elevated risk from IAM credential disclosure via instance metadata endpoints.
Server-Side Request Forgery in Google Cloud Apigee-X's SetIntegrationRequest policy enables remote attackers to coerce the API gateway into making attacker-controlled requests and exfiltrate service account access tokens from the underlying GCP metadata service. The flaw affects Apigee-X versions prior to 1.14.4, 1.15.2, and 1.16.1, but exploitation requires an administrator to have first deployed an API proxy with an insecure configuration. With no public exploit identified and a low EPSS score of 0.14%, the issue carries CVSS 9.2 severity primarily due to the high confidentiality and integrity impact on cloud credentials.
Server-side request forgery (SSRF) in IBM webMethods Integration Server (on-premises) 10.15 through IS_11.1_Core_Fix10 allows authenticated remote attackers to coerce the server into issuing unauthorized outbound HTTP requests to arbitrary destinations. An attacker with low-privileged credentials can leverage this to map internal network topology, probe non-publicly-routable services, or use the Integration Server as a pivot point for follow-on attacks against adjacent systems. No public exploit identified at time of analysis, and EPSS at 0.02% (7th percentile) alongside SSVC exploitation status of 'none' indicate no observed active exploitation.
Server-Side Request Forgery (SSRF) in e107 CMS versions prior to 2.3.4 allows authenticated administrators to reach internal network resources by supplying IPv4-mapped IPv6 addresses (e.g., ::ffff:127.0.0.1) in the Media Manager's remote URL fetch feature, bypassing PHP's private-range IP filter. The root cause is a normalization gap in file_class.php where PHP's filter_var with FILTER_FLAG_NO_PRIV_RANGE does not canonicalize IPv4-mapped IPv6 notation, leaving loopback and private ranges reachable. Publicly available exploit code exists per SSVC data, though EPSS sits at 0.03% (7th percentile) and the vulnerability is not listed in CISA KEV, indicating low observed exploitation volume.
Quick Facts
- Typical Severity
- HIGH
- Category
- web
- Total CVEs
- 2860