Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

CVEs (2,679)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2021-27312 1Gleezcms 1Gleez Cms Apr 16, 2025 Apr 3, 2024 N/A· v4 9.4 CRITICAL· v3 N/A· v2 Server Side Request Forgery (SSRF) vulnerability in Gleez Cms 1.2.0, allows remote attackers to execute arbitrary code and obtain sensitive information via modules/gleez/classes/request.php.
CVE-2024-25864 - - Mar 13, 2025 Apr 3, 2024 N/A· v4 9.1 CRITICAL· v3 N/A· v2 Server Side Request Forgery (SSRF) vulnerability in Friendica versions after v.2023.12, allows a remote attacker to execute arbitrary code and obtain sensitive information via the fpostit.php component.
CVE-2024-30532 - - Apr 28, 2026 Apr 2, 2024 N/A· v4 4.9 MEDIUM· v3 N/A· v2 Server-Side Request Forgery (SSRF) vulnerability in Builderall Team Builderall Builder for WordPress.This issue affects Builderall Builder for WordPress: from n/a through 2.0.1.
CVE-2024-30531 - - Apr 28, 2026 Apr 2, 2024 N/A· v4 4.9 MEDIUM· v3 N/A· v2 Server-Side Request Forgery (SSRF) vulnerability in Nelio Software Nelio Content.This issue affects Nelio Content: from n/a through 3.2.0.
CVE-2024-24888 1Kadencewp 1Gutenberg Blocks With Ai Apr 28, 2026 Apr 2, 2024 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Server-Side Request Forgery (SSRF) vulnerability in StellarWP Gutenberg Blocks by Kadence Blocks kadence-blocks.This issue affects Gutenberg Blocks by Kadence Blocks: from n/a through <= 3.2.25.
CVE-2024-25187 1Xiaocheng Keji 171cms Jun 10, 2025 Apr 2, 2024 N/A· v4 8.6 HIGH· v3 N/A· v2 Server Side Request Forgery (SSRF) vulnerability in 71cms v1.0.0, allows remote unauthenticated attackers to obtain sensitive information via getweather.html.
CVE-2024-30453 - - Apr 28, 2026 Mar 29, 2024 N/A· v4 5.4 MEDIUM· v3 N/A· v2 Server-Side Request Forgery (SSRF) vulnerability in Brave Brave Popup Builder.This issue affects Brave Popup Builder: from n/a through 0.6.5.
CVE-2023-45705 1Hcltech 1Bigfix Platform Mar 28, 2025 Mar 28, 2024 N/A· v4 7.2 HIGH· v3 N/A· v2 An administrative user of WebReports may perform a Server Side Request Forgery (SSRF) exploit through SMTP configuration options.
CVE-2024-27775 - - Nov 21, 2024 Mar 28, 2024 N/A· v4 7.2 HIGH· v3 N/A· v2 SysAid before version 23.2.14 b18 - CWE-918: Server-Side Request Forgery (SSRF) may allow exposing the local OS user's NTLMv2 hash
CVE-2023-50374 - - Apr 28, 2026 Mar 28, 2024 N/A· v4 5.5 MEDIUM· v3 N/A· v2 Server-Side Request Forgery (SSRF) vulnerability in NiteoThemes CMP – Coming Soon & Maintenance.This issue affects CMP – Coming Soon & Maintenance: from n/a through 4.1.10.
CVE-2024-29090 1Meowapps 1Ai Engine Apr 8, 2025 Mar 28, 2024 N/A· v4 6.8 MEDIUM· v3 N/A· v2 Server-Side Request Forgery (SSRF) vulnerability in Jordy Meow AI Engine: ChatGPT Chatbot.This issue affects AI Engine: ChatGPT Chatbot: from n/a through 2.1.4.
CVE-2024-23500 1Kadencewp 1Gutenberg Blocks With Ai Apr 23, 2026 Mar 28, 2024 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Server-Side Request Forgery (SSRF) vulnerability in StellarWP Gutenberg Blocks by Kadence Blocks kadence-blocks.This issue affects Gutenberg Blocks by Kadence Blocks: from n/a through <= 3.2.19.
CVE-2023-39313 1Theme Fusion 1Avada Apr 28, 2026 Mar 28, 2024 N/A· v4 7.7 HIGH· v3 N/A· v2 Server-Side Request Forgery (SSRF) vulnerability in ThemeFusion Avada.This issue affects Avada: from n/a through 7.11.1.
CVE-2023-36679 1Brainstormforce 1Spectra Apr 28, 2026 Mar 28, 2024 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Server-Side Request Forgery (SSRF) vulnerability in Brainstorm Force Spectra.This issue affects Spectra: from n/a through 2.6.6.
CVE-2023-34370 - - Apr 28, 2026 Mar 28, 2024 N/A· v4 7.1 HIGH· v3 N/A· v2 Server-Side Request Forgery (SSRF) vulnerability in Brainstorm Force Starter Templates — Elementor, WordPress & Beaver Builder Templates, Brainstorm Force Premium Starter Templates.This issue affects Starter Templates —...Show more Server-Side Request Forgery (SSRF) vulnerability in Brainstorm Force Starter Templates — Elementor, WordPress & Beaver Builder Templates, Brainstorm Force Premium Starter Templates.This issue affects Starter Templates — Elementor, WordPress & Beaver Builder Templates: from n/a through 3.2.4; Premium Starter Templates: from n/a through 3.2.4.Show less
CVE-2024-0677 1Popozure 1Pz Linkcard Apr 1, 2025 Mar 28, 2024 N/A· v4 5.1 MEDIUM· v3 N/A· v2 The Pz-LinkCard WordPress plugin through 2.5.1 does not prevent users from pinging arbitrary hosts via some of its shortcodes, which could allow high privilege users such as contributors to perform SSRF attacks.
CVE-2024-2206 1Gradio Project 1Gradio Jul 29, 2025 Mar 27, 2024 N/A· v4 6.5 MEDIUM· v3 N/A· v2 An SSRF vulnerability exists in the gradio-app/gradio due to insufficient validation of user-supplied URLs in the `/proxy` route. Attackers can exploit this vulnerability by manipulating the `self.replica_urls` set throu...Show more An SSRF vulnerability exists in the gradio-app/gradio due to insufficient validation of user-supplied URLs in the `/proxy` route. Attackers can exploit this vulnerability by manipulating the `self.replica_urls` set through the `X-Direct-Url` header in requests to the `/` and `/config` routes, allowing the addition of arbitrary URLs for proxying. This flaw enables unauthorized proxying of requests and potential access to internal endpoints within the Hugging Face space. The issue arises from the application's inadequate checking of safe URLs in the `build_proxy_request` function.Show less
CVE-2024-28435 1Twenty 1Twenty Sep 18, 2025 Mar 25, 2024 N/A· v4 5.4 MEDIUM· v3 N/A· v2 The CRM platform Twenty version 0.3.0 is vulnerable to SSRF via file upload.
CVE-2024-29190 1Opensecurity 1Mobile Security Framework Jun 30, 2025 Mar 22, 2024 N/A· v4 7.5 HIGH· v3 N/A· v2 Mobile Security Framework (MobSF) is a pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. In version 3.9.5 Beta and prior, MobSF does not perform any input...Show more Mobile Security Framework (MobSF) is a pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. In version 3.9.5 Beta and prior, MobSF does not perform any input validation when extracting the hostnames in `android:host`, so requests can also be sent to local hostnames. This can lead to server-side request forgery. An attacker can cause the server to make a connection to internal-only services within the organization's infrastructure. Commit 5a8eeee73c5f504a6c3abdf2a139a13804efdb77 has a hotfix for this issue. Show less
CVE-2024-2828 1Lakernote 1Easyadmin Aug 21, 2025 Mar 22, 2024 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 A vulnerability, which was classified as critical, was found in lakernote EasyAdmin up to 20240315. Affected is the function thumbnail of the file src/main/java/com/laker/admin/module/sys/controller/IndexController.java....Show more A vulnerability, which was classified as critical, was found in lakernote EasyAdmin up to 20240315. Affected is the function thumbnail of the file src/main/java/com/laker/admin/module/sys/controller/IndexController.java. The manipulation of the argument url leads to server-side request forgery. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The patch is identified as 23165d8cb569048c531150f194fea39f8800b8d5. It is recommended to apply a patch to fix this issue. VDB-257718 is the identifier assigned to this vulnerability.Show less

Previous 1...808182...134 Next