← Back
CWE-918

2,678 CVEs • Abstraction: Base

Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

JSON object

Loading...

CVEs (2,678)

CVE
VENDORS
PRODUCTS
UPDATED
PUBLISHED
CVSS
CVE-2025-45475
1Maccms
1Maccms
Jun 24, 2025
May 27, 2025
N/A· v4
5.4 MEDIUM· v3
N/A· v2
maccms10 v2025.1000.4047 is vulnerable to Server-Side request forgery (SSRF) in Friend Link Management.
CVE-2025-48383
-
-
May 28, 2025
May 27, 2025
N/A· v4
8.2 HIGH· v3
N/A· v2
Django-Select2 is a Django integration for Select2. Prior to version 8.4.1, instances of HeavySelect2Mixin subclasses like the ModelSelect2MultipleWidget and ModelSelect2Widget can leak secret access tokens across reques...Show more
Django-Select2 is a Django integration for Select2. Prior to version 8.4.1, instances of HeavySelect2Mixin subclasses like the ModelSelect2MultipleWidget and ModelSelect2Widget can leak secret access tokens across requests. This can allow users to access restricted query sets and restricted data. This issue has been patched in version 8.4.1.Show less
CVE-2025-5186
1Jeesite
1Jeesite
Aug 25, 2025
May 26, 2025
5.3 MEDIUM· v4
8.8 HIGH· v3
6.5 MEDIUM· v2
A vulnerability was found in thinkgem JeeSite up to 5.11.1. It has been rated as critical. Affected by this issue is the function ResourceLoader.getResource of the file /cms/fileTemplate/form of the component URI Scheme...Show more
A vulnerability was found in thinkgem JeeSite up to 5.11.1. It has been rated as critical. Affected by this issue is the function ResourceLoader.getResource of the file /cms/fileTemplate/form of the component URI Scheme Handler. The manipulation of the argument Name leads to server-side request forgery. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.Show less
CVE-2025-5140
-
-
May 28, 2025
May 25, 2025
5.3 MEDIUM· v4
6.3 MEDIUM· v3
6.5 MEDIUM· v2
A vulnerability classified as critical has been found in Seeyon Zhiyuan OA Web Application System up to 8.1 SP2. This affects the function this.oursNetService.getData of the file com\ours\www\ehr\openPlatform1\open4Clien...Show more
A vulnerability classified as critical has been found in Seeyon Zhiyuan OA Web Application System up to 8.1 SP2. This affects the function this.oursNetService.getData of the file com\ours\www\ehr\openPlatform1\open4ClientType\controller\ThirdMenuController.class. The manipulation of the argument url leads to server-side request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.Show less
CVE-2025-48739
-
-
May 28, 2025
May 23, 2025
4.6 MEDIUM· v4
N/A· v3
N/A· v2
A Server-Side Request Forgery (SSRF) vulnerability in StrangeBee TheHive 5.2.0 before 5.2.16, 5.3.0 before 5.3.11, 5.4.0 before 5.4.10, and 5.5.0 before 5.5.1 allows remote authenticated attackers with admin permissions...Show more
A Server-Side Request Forgery (SSRF) vulnerability in StrangeBee TheHive 5.2.0 before 5.2.16, 5.3.0 before 5.3.11, 5.4.0 before 5.4.10, and 5.5.0 before 5.5.1 allows remote authenticated attackers with admin permissions (allowing them to access specific API endpoints) to manipulate URLs to direct requests to unexpected hosts or ports. This allows the attacker to use a TheHive server as a proxy to reach internal or otherwise restricted resources. This could be exploited to access other servers on the internal network.Show less
CVE-2024-13957
-
-
May 23, 2025
May 22, 2025
7.0 HIGH· v4
7.6 HIGH· v3
N/A· v2
SSRF Server Side Request Forgery vulnerabilities exist in ASPECT if administrator credentials become compromisedThis issue affects ASPECT-Enterprise: through 3.*; NEXUS Series: through 3.*; MATRIX Series: through 3.*.
CVE-2025-47936
1Typo3
1Typo3
Sep 3, 2025
May 20, 2025
N/A· v4
4.4 MEDIUM· v3
N/A· v2
TYPO3 is an open source, PHP based web content management system. In versions on the 12.x branch prior to 12.4.31 LTS and the 13.x branch prior to 13.4.2 LTS, Webhooks are inherently vulnerable to Cross-Site Request Forg...Show more
TYPO3 is an open source, PHP based web content management system. In versions on the 12.x branch prior to 12.4.31 LTS and the 13.x branch prior to 13.4.2 LTS, Webhooks are inherently vulnerable to Cross-Site Request Forgery (CSRF), which can be exploited by adversaries to target internal resources (e.g., localhost or other services on the local network). While this is not a vulnerability in TYPO3 itself, it may enable attackers to blindly access systems that would otherwise be inaccessible. An administrator-level backend user account is required to exploit this vulnerability. Users should update to TYPO3 version 12.4.31 LTS or 13.4.12 LTS to fix the problem.Show less
CVE-2025-36560
1Appleple
1A Blog Cms
Sep 30, 2025
May 19, 2025
9.2 CRITICAL· v4
7.5 HIGH· v3
N/A· v2
Server-side request forgery vulnerability exists in a-blog cms multiple versions. If this vulnerability is exploited, a remote unauthenticated attacker may gain access to sensitive information by sending a specially craf...Show more
Server-side request forgery vulnerability exists in a-blog cms multiple versions. If this vulnerability is exploited, a remote unauthenticated attacker may gain access to sensitive information by sending a specially crafted request.Show less
CVE-2025-47791
1Nextcloud
1Nextcloud Server
Sep 19, 2025
May 16, 2025
N/A· v4
5.3 MEDIUM· v3
N/A· v2
Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server prior to 28.0.13, 29.0.10, and 30.0.3 and Nextcloud Enterprise Server prior to 28.0.13, 29.0.10, and 30.0.3, a currently unused endpoint to ver...Show more
Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server prior to 28.0.13, 29.0.10, and 30.0.3 and Nextcloud Enterprise Server prior to 28.0.13, 29.0.10, and 30.0.3, a currently unused endpoint to verify a share recipient was not protected correctly, allowing to proxy requests to another server. The endpoint was removed in Nextcloud Server 28.0.13, 29.0.10, and 30.0.3 and Nextcloud Enterprise Server 28.0.13, 29.0.10, and 30.0.3. No known workarounds are available.Show less
CVE-2024-6584
1Automattic
1Jetpack Boost
Jun 11, 2025
May 15, 2025
N/A· v4
9.1 CRITICAL· v3
N/A· v2
The 'wp_ajax_boost_proxy_ig' action allows administrators to make GET requests to arbitrary URLs.
CVE-2025-40595
-
-
May 16, 2025
May 14, 2025
N/A· v4
7.2 HIGH· v3
N/A· v2
A Server-side request forgery (SSRF) vulnerability has been identified in the SMA1000 Appliance Work Place interface. By using an encoded URL, a remote unauthenticated attacker could potentially cause the appliance to ma...Show more
A Server-side request forgery (SSRF) vulnerability has been identified in the SMA1000 Appliance Work Place interface. By using an encoded URL, a remote unauthenticated attacker could potentially cause the appliance to make requests to unintended location.Show less
CVE-2024-13940
-
-
May 16, 2025
May 14, 2025
N/A· v4
5.5 MEDIUM· v3
N/A· v2
The Ninja Forms Webhooks plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.0.7 via the form webhook functionality. This makes it possible for authenticated attacker...Show more
The Ninja Forms Webhooks plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.0.7 via the form webhook functionality. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.Show less
CVE-2025-45887
1Wanglongcn
1Yifang
Jun 12, 2025
May 9, 2025
N/A· v4
9.1 CRITICAL· v3
N/A· v2
Yifang CMS v2.0.2 is vulnerable to Server-Side Request Forgery (SSRF) in /api/file/getRemoteContent.
CVE-2025-47733
1Microsoft
1Power Apps
May 21, 2025
May 8, 2025
N/A· v4
7.5 HIGH· v3
N/A· v2
Server-Side Request Forgery (SSRF) in Microsoft Power Apps allows an unauthorized attacker to disclose information over a network
CVE-2025-29972
1Microsoft
1Azure Storage Resource Provider
Feb 13, 2026
May 8, 2025
N/A· v4
9.8 CRITICAL· v3
N/A· v2
Server-side request forgery (ssrf) in Azure Storage Resource Provider allows an authorized attacker to perform spoofing over a network.
CVE-2025-47664
1Thimpress
1Wp Pipes
Apr 28, 2026
May 7, 2025
N/A· v4
6.5 MEDIUM· v3
N/A· v2
Server-Side Request Forgery (SSRF) vulnerability in ThimPress WP Pipes allows Server Side Request Forgery. This issue affects WP Pipes: from n/a through 1.4.2.
CVE-2025-47635
1Webinarpress
1Webinarpress
Apr 23, 2026
May 7, 2025
N/A· v4
9.8 CRITICAL· v3
N/A· v2
Server-Side Request Forgery (SSRF) vulnerability in WPWebinarSystem WebinarPress wp-webinarsystem allows Server Side Request Forgery.This issue affects WebinarPress: from n/a through <= 1.33.28.
CVE-2025-47548
1Wbcomdesigns
1Activity Link Preview For Buddypress
Apr 23, 2026
May 7, 2025
N/A· v4
9.8 CRITICAL· v3
N/A· v2
Server-Side Request Forgery (SSRF) vulnerability in Varun Dubey Wbcom Designs - Activity Link Preview For BuddyPress activity-link-preview-for-buddypress allows Server Side Request Forgery.This issue affects Wbcom Design...Show more
Server-Side Request Forgery (SSRF) vulnerability in Varun Dubey Wbcom Designs - Activity Link Preview For BuddyPress activity-link-preview-for-buddypress allows Server Side Request Forgery.This issue affects Wbcom Designs - Activity Link Preview For BuddyPress: from n/a through <= 1.4.4.Show less
CVE-2025-47484
-
-
Apr 23, 2026
May 7, 2025
N/A· v4
6.4 MEDIUM· v3
N/A· v2
Server-Side Request Forgery (SSRF) vulnerability in Oliver Campion Display Remote Posts Block display-remote-posts-block allows Server Side Request Forgery.This issue affects Display Remote Posts Block: from n/a through...Show more
Server-Side Request Forgery (SSRF) vulnerability in Oliver Campion Display Remote Posts Block display-remote-posts-block allows Server Side Request Forgery.This issue affects Display Remote Posts Block: from n/a through <= 1.1.0.Show less
CVE-2025-47483
-
-
Apr 23, 2026
May 7, 2025
N/A· v4
4.9 MEDIUM· v3
N/A· v2
Server-Side Request Forgery (SSRF) vulnerability in Iulia Cazan Easy Replace Image easy-replace-image allows Server Side Request Forgery.This issue affects Easy Replace Image: from n/a through <= 3.5.0.