Common Weakness Enumeration

CWE-918

Allowed

Server-Side Request Forgery (SSRF)

Abstraction: Base · Status: Incomplete

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

4658 vulnerabilities reference this CWE, most recent first.

GHSA-576C-3J53-R9JJ

Vulnerability from github – Published: 2024-10-10 22:01 – Updated: 2025-01-21 17:53
VLAI
Summary
Gradio vulnerable to SSRF in the path parameter of /queue/join
Details

Impact

What kind of vulnerability is it? Who is impacted?

This vulnerability relates to Server-Side Request Forgery (SSRF) in the /queue/join endpoint. Gradio’s async_save_url_to_cache function allows attackers to force the Gradio server to send HTTP requests to user-controlled URLs. This could enable attackers to target internal servers or services within a local network and possibly exfiltrate data or cause unwanted internal requests. Additionally, the content from these URLs is stored locally, making it easier for attackers to upload potentially malicious files to the server. This impacts users deploying Gradio servers that use components like the Video component which involve URL fetching.

Patches

Yes, please upgrade to gradio>=5 to address this issue.

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

As a workaround, users can disable or heavily restrict URL-based inputs in their Gradio applications to trusted domains only. Additionally, implementing stricter URL validation (such as allowinglist-based validation) and ensuring that local or internal network addresses cannot be requested via the /queue/join endpoint can help mitigate the risk of SSRF attacks.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "gradio"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-47167"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-10-10T22:01:44Z",
    "nvd_published_at": "2024-10-10T22:15:11Z",
    "severity": "MODERATE"
  },
  "details": "### Impact  \n**What kind of vulnerability is it? Who is impacted?**\n\nThis vulnerability relates to **Server-Side Request Forgery (SSRF)** in the `/queue/join` endpoint. Gradio\u2019s `async_save_url_to_cache` function allows attackers to force the Gradio server to send HTTP requests to user-controlled URLs. This could enable attackers to target internal servers or services within a local network and possibly exfiltrate data or cause unwanted internal requests. Additionally, the content from these URLs is stored locally, making it easier for attackers to upload potentially malicious files to the server. This impacts users deploying Gradio servers that use components like the Video component which involve URL fetching.\n\n### Patches  \nYes, please upgrade to `gradio\u003e=5` to address this issue.\n\n### Workarounds  \n**Is there a way for users to fix or remediate the vulnerability without upgrading?**\n\nAs a workaround, users can disable or heavily restrict URL-based inputs in their Gradio applications to trusted domains only. Additionally, implementing stricter URL validation (such as allowinglist-based validation) and ensuring that local or internal network addresses cannot be requested via the `/queue/join` endpoint can help mitigate the risk of SSRF attacks.",
  "id": "GHSA-576c-3j53-r9jj",
  "modified": "2025-01-21T17:53:33Z",
  "published": "2024-10-10T22:01:44Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/gradio-app/gradio/security/advisories/GHSA-576c-3j53-r9jj"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47167"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/gradio-app/gradio"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2024-215.yaml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Gradio vulnerable to SSRF in the path parameter of /queue/join"
}

GHSA-57PW-M5MJ-M29P

Vulnerability from github – Published: 2022-11-17 18:30 – Updated: 2022-11-21 18:30
VLAI
Details

A vulnerability has been identified in syngo Dynamics (All versions < VA40G HF01). An unauthenticated Server-Side Request Forgery (SSRF) vulnerability was identified in one of the web services exposed on the syngo Dynamics application that could allow for the leaking of NTLM credentials as well as local service enumeration.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-42894"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-11-17T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability has been identified in syngo Dynamics (All versions \u003c VA40G HF01). An unauthenticated Server-Side Request Forgery (SSRF) vulnerability was identified in one of the web services exposed on the syngo Dynamics application that could allow for the leaking of NTLM credentials as well as local service enumeration.",
  "id": "GHSA-57pw-m5mj-m29p",
  "modified": "2022-11-21T18:30:37Z",
  "published": "2022-11-17T18:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42894"
    },
    {
      "type": "WEB",
      "url": "https://www.siemens-healthineers.com/en-us/support-documentation/cybersecurity/shsa-741697"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-57VG-JXJV-V848

Vulnerability from github – Published: 2022-05-24 19:01 – Updated: 2022-05-24 19:01
VLAI
Details

An SSRF issue in Open Distro for Elasticsearch (ODFE) before 1.13.1.0 allows an existing privileged user to enumerate listening services or interact with configured resources via HTTP requests exceeding the Alerting plugin's intended scope.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-31828"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-05-06T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "An SSRF issue in Open Distro for Elasticsearch (ODFE) before 1.13.1.0 allows an existing privileged user to enumerate listening services or interact with configured resources via HTTP requests exceeding the Alerting plugin\u0027s intended scope.",
  "id": "GHSA-57vg-jxjv-v848",
  "modified": "2022-05-24T19:01:26Z",
  "published": "2022-05-24T19:01:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-31828"
    },
    {
      "type": "WEB",
      "url": "https://github.com/opendistro-for-elasticsearch/alerting/pull/353"
    },
    {
      "type": "WEB",
      "url": "https://opendistro.github.io/for-elasticsearch-docs/version-history"
    },
    {
      "type": "WEB",
      "url": "https://rotem-bar.com/ssrf-in-open-distro-for-elasticsearch-cve-2021-31828"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-57W5-CGMJ-2FR4

Vulnerability from github – Published: 2025-09-09 18:31 – Updated: 2025-09-09 18:31
VLAI
Details

A Server-Side Request Forgery (SSRF) vulnerability has been identified in the embedded web server in various Lexmark devices. This vulnerability can be leveraged by an attacker to force the device to send an arbitrary HTTP request to a third-party server. Successful exploitation of this vulnerability can lead to internal network access / potential data disclosure from a device.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-9269"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-09T18:15:36Z",
    "severity": "MODERATE"
  },
  "details": "A Server-Side Request Forgery (SSRF) vulnerability has been identified in the embedded web server in various Lexmark devices. This vulnerability can be leveraged by an attacker to force the device to send an arbitrary HTTP request to a third-party server.\u00a0Successful exploitation of this vulnerability can lead to internal network access / potential data disclosure from a device.",
  "id": "GHSA-57w5-cgmj-2fr4",
  "modified": "2025-09-09T18:31:25Z",
  "published": "2025-09-09T18:31:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9269"
    },
    {
      "type": "WEB",
      "url": "https://www.lexmark.com/en_us/solutions/security/lexmark-security-advisories.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-57WV-8V6F-4353

Vulnerability from github – Published: 2026-06-22 18:34 – Updated: 2026-06-22 18:34
VLAI
Details

IBM WebSphere Application Server 9.0, and 8.5 is vulnerable to server-side request forgery (SSRF) with the Ajax Proxy configured. This may allow an attacker to send unauthorized requests from the system, resulting in a security bypass or information disclosure.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-9006"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-22T16:16:43Z",
    "severity": "HIGH"
  },
  "details": "IBM WebSphere Application Server 9.0, and 8.5 is vulnerable to server-side request forgery (SSRF) with the Ajax Proxy configured. This may allow an attacker to send unauthorized requests from the system, resulting in a security bypass or information disclosure.",
  "id": "GHSA-57wv-8v6f-4353",
  "modified": "2026-06-22T18:34:16Z",
  "published": "2026-06-22T18:34:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9006"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7276600"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-582G-J67J-5Q79

Vulnerability from github – Published: 2026-04-06 06:30 – Updated: 2026-04-06 06:30
VLAI
Details

A vulnerability was detected in kalcaddle kodbox up to 1.64. This affects an unknown function of the component shareMake/shareCheck. Performing a manipulation of the argument siteFrom/siteTo results in server-side request forgery. The attack is possible to be carried out remotely. The complexity of an attack is rather high. The exploitability is reported as difficult. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-5618"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-06T04:16:14Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability was detected in kalcaddle kodbox up to 1.64. This affects an unknown function of the component shareMake/shareCheck. Performing a manipulation of the argument siteFrom/siteTo results in server-side request forgery. The attack is possible to be carried out remotely. The complexity of an attack is rather high. The exploitability is reported as difficult. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
  "id": "GHSA-582g-j67j-5q79",
  "modified": "2026-04-06T06:30:29Z",
  "published": "2026-04-06T06:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5618"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/submit/785572"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/vuln/355408"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/vuln/355408/cti"
    },
    {
      "type": "WEB",
      "url": "https://vulnplus-note.wetolink.com/share/3VtzyzYgcS4b"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-5868-VCX5-GWMP

Vulnerability from github – Published: 2023-12-14 09:30 – Updated: 2024-10-08 18:33
VLAI
Details

Unauthenticated LFI/SSRF in JCDashboards component for Joomla.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-40630"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-12-14T09:15:41Z",
    "severity": "CRITICAL"
  },
  "details": "Unauthenticated LFI/SSRF in JCDashboards component for Joomla.",
  "id": "GHSA-5868-vcx5-gwmp",
  "modified": "2024-10-08T18:33:05Z",
  "published": "2023-12-14T09:30:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40630"
    },
    {
      "type": "WEB",
      "url": "https://extensions.joomla.org/extension/jcdashboards"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-586R-QXPV-M44Q

Vulnerability from github – Published: 2024-10-11 21:31 – Updated: 2024-10-15 21:30
VLAI
Details

A Server-Side Request Forgery (SSRF) vulnerability exists in the jpress <= v5.1.1, which can be exploited by an attacker to obtain sensitive information, resulting in an information disclosure.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-46468"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-11T21:15:07Z",
    "severity": "HIGH"
  },
  "details": "A Server-Side Request Forgery (SSRF) vulnerability exists in the jpress \u003c= v5.1.1, which can be exploited by an attacker to obtain sensitive information, resulting in an information disclosure.",
  "id": "GHSA-586r-qxpv-m44q",
  "modified": "2024-10-15T21:30:37Z",
  "published": "2024-10-11T21:31:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46468"
    },
    {
      "type": "WEB",
      "url": "https://github.com/JPressProjects/jpress/issues/190"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/ilikeoyt/b396bbb9ef858105c46e999630e7afbe"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-587R-MC96-6F2P

Vulnerability from github – Published: 2026-05-11 14:45 – Updated: 2026-06-08 23:42
VLAI
Summary
GuardDog has a blind GitHub URL rewrite in remote project scanning causes SSRF and `GH_TOKEN` exfiltration
Details

Summary

The programmatic remote project scanning path rewrites attacker-controlled repository URLs using a blind string replacement and then sends the caller's GitHub credentials with the resulting request. This allows an attacker who can influence the scanned repository URL to trigger SSRF and capture the GH_TOKEN used by GuardDog.

Description

ProjectScanner.scan_remote() takes a url, branch, and requirements_name, then constructs a raw GitHub URL by calling:

githubusercontent_url = url.replace("github", "raw.githubusercontent")
req_url = f"{githubusercontent_url}/{branch}/{requirements_name}"
resp = requests.get(url=req_url, auth=token)

Because this logic does not parse or validate the hostname, a crafted URL such as:

http://github@127.0.0.1:18081/owner/repo

is transformed into:

http://raw.githubusercontent@127.0.0.1:18081/owner/repo/main/requirements.txt

Requests interprets this as an HTTP request to 127.0.0.1:18081, and GuardDog includes the configured GitHub credentials via HTTP Basic Auth.

Reproduction summary

  1. Start an HTTP listener on 127.0.0.1:18081 that logs the request path and Authorization header.
  2. Set GIT_USERNAME=alice and GH_TOKEN=supersecret.
  3. Call PypiRequirementsScanner().scan_remote("http://github@127.0.0.1:18081/owner/repo", "main", "requirements.txt").
  4. Observe a request to /owner/repo/main/requirements.txt with Authorization: Basic YWxpY2U6c3VwZXJzZWNyZXQ=.

Key code paths

  • guarddog/scanners/scanner.py:361-365

Practical impact

This can expose repository-scanning infrastructure to: - theft of the GitHub PAT configured in GH_TOKEN - SSRF to internal or localhost services reachable by the scanner - attacker-controlled dependency file content returned by the malicious endpoint

Prior public disclosure check

As of 2026-03-18, no matching public GitHub advisory, CVE, or public repo issue was found for this specific bug.

Suggested fix

Parse the input URL, require hostname == "github.com", validate the path shape (owner/repo), build the raw URL from parsed components instead of string replacement, and never send GitHub credentials to non-GitHub hosts.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "guarddog"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.0"
            },
            {
              "last_affected": "2.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44971"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-11T14:45:08Z",
    "nvd_published_at": "2026-05-27T15:16:29Z",
    "severity": "HIGH"
  },
  "details": "# Summary\nThe programmatic remote project scanning path rewrites attacker-controlled repository URLs using a blind string replacement and then sends the caller\u0027s GitHub credentials with the resulting request. This allows an attacker who can influence the scanned repository URL to trigger SSRF and capture the `GH_TOKEN` used by GuardDog.\n\n# Description\n`ProjectScanner.scan_remote()` takes a `url`, `branch`, and `requirements_name`, then constructs a raw GitHub URL by calling:\n\n```python\ngithubusercontent_url = url.replace(\"github\", \"raw.githubusercontent\")\nreq_url = f\"{githubusercontent_url}/{branch}/{requirements_name}\"\nresp = requests.get(url=req_url, auth=token)\n```\n\nBecause this logic does not parse or validate the hostname, a crafted URL such as:\n\n```text\nhttp://github@127.0.0.1:18081/owner/repo\n```\n\nis transformed into:\n\n```text\nhttp://raw.githubusercontent@127.0.0.1:18081/owner/repo/main/requirements.txt\n```\n\nRequests interprets this as an HTTP request to `127.0.0.1:18081`, and GuardDog includes the configured GitHub credentials via HTTP Basic Auth.\n\n# Reproduction summary\n1. Start an HTTP listener on `127.0.0.1:18081` that logs the request path and `Authorization` header.\n2. Set `GIT_USERNAME=alice` and `GH_TOKEN=supersecret`.\n3. Call `PypiRequirementsScanner().scan_remote(\"http://github@127.0.0.1:18081/owner/repo\", \"main\", \"requirements.txt\")`.\n4. Observe a request to `/owner/repo/main/requirements.txt` with `Authorization: Basic YWxpY2U6c3VwZXJzZWNyZXQ=`.\n\n# Key code paths\n- `guarddog/scanners/scanner.py:361-365`\n\n# Practical impact\nThis can expose repository-scanning infrastructure to:\n- theft of the GitHub PAT configured in `GH_TOKEN`\n- SSRF to internal or localhost services reachable by the scanner\n- attacker-controlled dependency file content returned by the malicious endpoint\n\n# Prior public disclosure check\nAs of 2026-03-18, no matching public GitHub advisory, CVE, or public repo issue was found for this specific bug.\n\n# Suggested fix\nParse the input URL, require `hostname == \"github.com\"`, validate the path shape (`owner/repo`), build the raw URL from parsed components instead of string replacement, and never send GitHub credentials to non-GitHub hosts.",
  "id": "GHSA-587r-mc96-6f2p",
  "modified": "2026-06-08T23:42:22Z",
  "published": "2026-05-11T14:45:08Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/DataDog/guarddog/security/advisories/GHSA-587r-mc96-6f2p"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44971"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/DataDog/guarddog"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "GuardDog has a blind GitHub URL rewrite in remote project scanning causes SSRF and `GH_TOKEN` exfiltration"
}

GHSA-5899-42J8-FXPR

Vulnerability from github – Published: 2026-02-14 09:31 – Updated: 2026-02-14 09:31
VLAI
Details

The MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar plugin for WordPress is vulnerable to Server-Side Request Forgery in versions 5.3 to 5.10 via the 'load_lyrics_ajax_callback' function. This makes it possible for authenticated attackers, with author level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-1249"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-14T09:16:11Z",
    "severity": "MODERATE"
  },
  "details": "The MP3 Audio Player \u2013 Music Player, Podcast Player \u0026 Radio by Sonaar plugin for WordPress is vulnerable to Server-Side Request Forgery in versions 5.3 to 5.10 via the \u0027load_lyrics_ajax_callback\u0027 function. This makes it possible for authenticated attackers, with author level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.",
  "id": "GHSA-5899-42j8-fxpr",
  "modified": "2026-02-14T09:31:34Z",
  "published": "2026-02-14T09:31:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1249"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3453076/mp3-music-player-by-sonaar/trunk/sonaar-music.php"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/261aad1e-43fc-4927-a97d-85a001863023?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

CAPEC-664: Server Side Request Forgery

An adversary exploits improper input validation by submitting maliciously crafted input to a target application running on a server, with the goal of forcing the server to make a request either to itself, to web services running in the server’s internal network, or to external third parties. If successful, the adversary’s request will be made with the server’s privilege level, bypassing its authentication controls. This ultimately allows the adversary to access sensitive data, execute commands on the server’s network, and make external requests with the stolen identity of the server. Server Side Request Forgery attacks differ from Cross Site Request Forgery attacks in that they target the server itself, whereas CSRF attacks exploit an insecure user authentication mechanism to perform unauthorized actions on the user's behalf.