Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

CVEs (2,679)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2025-31796 - - Apr 23, 2026 Apr 1, 2025 N/A· v4 5.4 MEDIUM· v3 N/A· v2 Server-Side Request Forgery (SSRF) vulnerability in TheInnovs ElementsCSS Addons for Elementor css-for-elementor allows Server Side Request Forgery.This issue affects ElementsCSS Addons for Elementor: from n/a through <=...Show more Server-Side Request Forgery (SSRF) vulnerability in TheInnovs ElementsCSS Addons for Elementor css-for-elementor allows Server Side Request Forgery.This issue affects ElementsCSS Addons for Elementor: from n/a through <= 1.0.8.9.Show less
CVE-2025-21384 1Microsoft 1Azure Health Bot Jul 8, 2025 Apr 1, 2025 N/A· v4 8.8 HIGH· v3 N/A· v2 An authenticated attacker can exploit an Server-Side Request Forgery (SSRF) vulnerability in Microsoft Azure Health Bot to elevate privileges over a network.
CVE-2025-31117 1Open Emr 1Openemr Apr 30, 2025 Mar 31, 2025 6.9 MEDIUM· v4 7.5 HIGH· v3 N/A· v2 OpenEMR is a free and open source electronic health records and medical practice management application. An Out-of-Band Server-Side Request Forgery (OOB SSRF) vulnerability was identified in OpenEMR, allowing an attacker...Show more OpenEMR is a free and open source electronic health records and medical practice management application. An Out-of-Band Server-Side Request Forgery (OOB SSRF) vulnerability was identified in OpenEMR, allowing an attacker to force the server to make unauthorized requests to external or internal resources. this attack does not return a direct response but can be exploited through DNS or HTTP interactions to exfiltrate sensitive information. This vulnerability is fixed in 7.0.3.1.Show less
CVE-2025-31116 1Opensecurity 1Mobile Security Framework Jun 12, 2025 Mar 31, 2025 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Mobile Security Framework (MobSF) is a pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. The mitigation for CVE-2024-29190 in valid_host() uses socket.geth...Show more Mobile Security Framework (MobSF) is a pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. The mitigation for CVE-2024-29190 in valid_host() uses socket.gethostbyname(), which is vulnerable to SSRF abuse using DNS rebinding technique. This vulnerability is fixed in 4.3.2.Show less
CVE-2025-2997 1Zhangyanbo2007 1Youkefu Oct 10, 2025 Mar 31, 2025 5.3 MEDIUM· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 A vulnerability was found in zhangyanbo2007 youkefu 4.2.0. It has been classified as critical. Affected is an unknown function of the file /res/url. The manipulation of the argument url leads to server-side request forge...Show more A vulnerability was found in zhangyanbo2007 youkefu 4.2.0. It has been classified as critical. Affected is an unknown function of the file /res/url. The manipulation of the argument url leads to server-side request forgery. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.Show less
CVE-2025-31527 - - Apr 23, 2026 Mar 31, 2025 N/A· v4 6.4 MEDIUM· v3 N/A· v2 Server-Side Request Forgery (SSRF) vulnerability in Kishan WP Link Preview wp-link-preview allows Server Side Request Forgery.This issue affects WP Link Preview: from n/a through <= 1.4.1.
CVE-2025-28096 1Onenav 1Onenav Apr 7, 2025 Mar 28, 2025 N/A· v4 5.4 MEDIUM· v3 N/A· v2 OneNav 1.1.0 is vulnerable to Server-Side Request Forgery (SSRF) in custom headers.
CVE-2025-28094 1Shopxo 1Shopxo Apr 7, 2025 Mar 28, 2025 N/A· v4 6.5 MEDIUM· v3 N/A· v2 shopxo v6.4.0 has a ssrf/xss vulnerability in multiple places.
CVE-2025-28093 1Shopxo 1Shopxo Apr 7, 2025 Mar 28, 2025 N/A· v4 6.3 MEDIUM· v3 N/A· v2 ShopXO v6.4.0 is vulnerable to Server-Side Request Forgery (SSRF) in Email Settings.
CVE-2025-28092 1Shopxo 1Shopxo Apr 7, 2025 Mar 28, 2025 N/A· v4 6.3 MEDIUM· v3 N/A· v2 ShopXO v6.4.0 is vulnerable to Server-Side Request Forgery (SSRF) via image upload function.
CVE-2025-28091 1Maccms 1Maccms Apr 7, 2025 Mar 28, 2025 N/A· v4 9.1 CRITICAL· v3 N/A· v2 maccms10 v2025.1000.4047 has a Server-Side Request Forgery (SSRF) vulnerability via Add Article.
CVE-2025-28090 1Maccms 1Maccms Apr 7, 2025 Mar 28, 2025 N/A· v4 9.1 CRITICAL· v3 N/A· v2 maccms10 v2025.1000.4047 is vulnerable to Server-Side Request Forgery (SSRF) in the Collection Custom Interface feature.
CVE-2025-28089 1Maccms 1Maccms Apr 7, 2025 Mar 28, 2025 N/A· v4 9.1 CRITICAL· v3 N/A· v2 maccms10 v2025.1000.4047 is vulnerable to Server-Side Request Forgery (SSRF) via the Scheduled Task function.
CVE-2025-31076 - - Apr 23, 2026 Mar 28, 2025 N/A· v4 4.9 MEDIUM· v3 N/A· v2 Server-Side Request Forgery (SSRF) vulnerability in WP Compress WP Compress for MainWP wp-compress-mainwp allows Server Side Request Forgery.This issue affects WP Compress for MainWP: from n/a through <= 6.30.03.
CVE-2024-48944 1Apache 1Kylin Apr 1, 2025 Mar 27, 2025 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Server-Side Request Forgery (SSRF) vulnerability in Apache Kylin. Through a kylin server, an attacker may forge a request to invoke "/kylin/api/xxx/diag" api on another internal host and possibly get leaked information....Show more Server-Side Request Forgery (SSRF) vulnerability in Apache Kylin. Through a kylin server, an attacker may forge a request to invoke "/kylin/api/xxx/diag" api on another internal host and possibly get leaked information. There are two preconditions: 1) The attacker has got admin access to a kylin server; 2) Another internal host has the "/kylin/api/xxx/diag" api endpoint open for service. This issue affects Apache Kylin: from 5.0.0 through 5.0.1. Users are recommended to upgrade to version 5.0.2, which fixes the issue.Show less
CVE-2025-22672 - - Apr 23, 2026 Mar 27, 2025 N/A· v4 4.9 MEDIUM· v3 N/A· v2 Server-Side Request Forgery (SSRF) vulnerability in SuitePlugins Video & Photo Gallery for Ultimate Member gallery-for-ultimate-member allows Server Side Request Forgery.This issue affects Video & Photo Gallery for Ultim...Show more Server-Side Request Forgery (SSRF) vulnerability in SuitePlugins Video & Photo Gallery for Ultimate Member gallery-for-ultimate-member allows Server Side Request Forgery.This issue affects Video & Photo Gallery for Ultimate Member: from n/a through <= 1.1.2.Show less
CVE-2025-30914 - - Apr 23, 2026 Mar 27, 2025 N/A· v4 4.4 MEDIUM· v3 N/A· v2 Server-Side Request Forgery (SSRF) vulnerability in Roxnor Metform metform allows Server Side Request Forgery.This issue affects Metform: from n/a through <= 3.9.2.
CVE-2025-2835 1Zhyd 1Oneblog Apr 1, 2025 Mar 27, 2025 5.3 MEDIUM· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 A vulnerability was found in zhangyd-c OneBlog up to 2.3.9. It has been declared as problematic. Affected by this vulnerability is the function autoLink of the file com/zyd/blog/controller/RestApiController.java. The man...Show more A vulnerability was found in zhangyd-c OneBlog up to 2.3.9. It has been declared as problematic. Affected by this vulnerability is the function autoLink of the file com/zyd/blog/controller/RestApiController.java. The manipulation leads to server-side request forgery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.Show less
CVE-2025-27406 - - Mar 27, 2025 Mar 26, 2025 N/A· v4 7.6 HIGH· v3 N/A· v2 Icinga Reporting is the central component for reporting related functionality in the monitoring web frontend and framework Icinga Web 2. A vulnerability present in versions 0.10.0 through 1.0.2 allows to set up a templat...Show more Icinga Reporting is the central component for reporting related functionality in the monitoring web frontend and framework Icinga Web 2. A vulnerability present in versions 0.10.0 through 1.0.2 allows to set up a template that allows to embed arbitrary Javascript. This enables the attacker to act on behalf of the user, if the template is being previewed; and act on behalf of the headless browser, if a report using the template is printed to PDF. This issue has been resolved in version 1.0.3 of Icinga Reporting. As a workaround, review all templates and remove suspicious settings.Show less
CVE-2025-1912 1Webtoffee 1Product Import Export For Woocommerce Jul 9, 2025 Mar 26, 2025 N/A· v4 7.6 HIGH· v3 N/A· v2 The Product Import Export for WooCommerce – Import Export Product CSV Suite plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.5.0 via the validate_file() Function....Show more The Product Import Export for WooCommerce – Import Export Product CSV Suite plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.5.0 via the validate_file() Function. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.Show less

Previous 1...596061...134 Next