Common Weakness Enumeration

CWE-918

Allowed

Server-Side Request Forgery (SSRF)

Abstraction: Base · Status: Incomplete

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

4638 vulnerabilities reference this CWE, most recent first.

GHSA-R66P-45RW-5XC2

Vulnerability from github – Published: 2026-04-14 18:30 – Updated: 2026-04-14 18:30
VLAI
Details

A server-side request forgery (ssrf) vulnerability [CWE-918] vulnerability in Fortinet FortiSOAR PaaS 7.6.4, FortiSOAR PaaS 7.6.0 through 7.6.2, FortiSOAR PaaS 7.5.0 through 7.5.2, FortiSOAR PaaS 7.4 all versions, FortiSOAR PaaS 7.3 all versions, FortiSOAR on-premise 7.6.4, FortiSOAR on-premise 7.6.0 through 7.6.2, FortiSOAR on-premise 7.5.0 through 7.5.2, FortiSOAR on-premise 7.4 all versions, FortiSOAR on-premise 7.3 all versions may allow an authenticated attacker to discover services running on local ports via crafted requests.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-59809"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-14T16:16:31Z",
    "severity": "MODERATE"
  },
  "details": "A server-side request forgery (ssrf) vulnerability [CWE-918] vulnerability in Fortinet FortiSOAR PaaS 7.6.4, FortiSOAR PaaS 7.6.0 through 7.6.2, FortiSOAR PaaS 7.5.0 through 7.5.2, FortiSOAR PaaS 7.4 all versions, FortiSOAR PaaS 7.3 all versions, FortiSOAR on-premise 7.6.4, FortiSOAR on-premise 7.6.0 through 7.6.2, FortiSOAR on-premise 7.5.0 through 7.5.2, FortiSOAR on-premise 7.4 all versions, FortiSOAR on-premise 7.3 all versions may allow an authenticated attacker to discover services running on local ports via crafted requests.",
  "id": "GHSA-r66p-45rw-5xc2",
  "modified": "2026-04-14T18:30:34Z",
  "published": "2026-04-14T18:30:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59809"
    },
    {
      "type": "WEB",
      "url": "https://fortiguard.fortinet.com/psirt/FG-IR-26-103"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R69X-4MJC-6RQ7

Vulnerability from github – Published: 2024-01-15 18:30 – Updated: 2024-01-22 21:31
VLAI
Details

The JSM file_get_contents() Shortcode WordPress plugin before 2.7.1 does not validate one of its shortcode's parameters before making a request to it, which could allow users with contributor role and above to perform SSRF attacks.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-6991"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-01-15T16:15:12Z",
    "severity": "HIGH"
  },
  "details": "The JSM file_get_contents() Shortcode WordPress plugin before 2.7.1 does not validate one of its shortcode\u0027s parameters before making a request to it, which could allow users with contributor role and above to perform SSRF attacks.",
  "id": "GHSA-r69x-4mjc-6rq7",
  "modified": "2024-01-22T21:31:06Z",
  "published": "2024-01-15T18:30:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6991"
    },
    {
      "type": "WEB",
      "url": "https://wpscan.com/vulnerability/0b92becb-8a47-48fd-82e8-f7641cf5c9bc"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R6J8-C6R2-37RR

Vulnerability from github – Published: 2025-12-15 00:30 – Updated: 2025-12-20 03:27
VLAI
Summary
kube-controller-manager is vulnerable to half-blind Server Side Request Forgery through in-tree Portworx StorageClass
Details

A half-blind Server Side Request Forgery (SSRF) vulnerability exists in kube-controller-manager when using the in-tree Portworx StorageClass. This vulnerability allows authorized users to leak arbitrary information from unprotected endpoints in the control plane’s host network (including link-local or loopback services).

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "k8s.io/kubernetes"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.32.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "k8s.io/kubernetes"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.33.0-alpha.0"
            },
            {
              "fixed": "1.33.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "k8s.io/kubernetes"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.34.0-alpha.0"
            },
            {
              "fixed": "1.34.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-13281"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-12-16T00:48:30Z",
    "nvd_published_at": "2025-12-14T22:15:36Z",
    "severity": "MODERATE"
  },
  "details": "A half-blind Server Side Request Forgery (SSRF) vulnerability exists in kube-controller-manager when using the in-tree Portworx StorageClass. This vulnerability allows authorized users to leak arbitrary information from unprotected endpoints in the control plane\u2019s host network (including link-local or loopback services).",
  "id": "GHSA-r6j8-c6r2-37rr",
  "modified": "2025-12-20T03:27:50Z",
  "published": "2025-12-15T00:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13281"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kubernetes/kubernetes/issues/135525"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kubernetes/kubernetes/commit/7506ce804c20696ba32cdb72126270ceaed06e24"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kubernetes/kubernetes/commit/97650c1c4fe15cbb7756ba95b3edc8a8665063ca"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kubernetes/kubernetes/commit/dbe17dfe7773563eac95534040f413ada6d2b421"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-r6j8-c6r2-37rr"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/kubernetes/kubernetes"
    },
    {
      "type": "WEB",
      "url": "https://groups.google.com/g/kubernetes-security-announce/c/EORqZg0k1l4/m/TtD-q0v7AgAJ"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2025/12/01/4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "kube-controller-manager is vulnerable to half-blind Server Side Request Forgery through in-tree Portworx StorageClass"
}

GHSA-R6JG-JFV6-2FJV

Vulnerability from github – Published: 2025-01-16 19:35 – Updated: 2025-08-20 17:40
VLAI
Summary
Matrix Media Repo (MMR) allows Server-Side Request Forgery (SSRF) on redirects and federation
Details

Impact

Matrix Media Repo (MMR) is vulnerable to server-side request forgery, serving content from a private network it can access, under certain conditions.

Patches

This is fixed in MMR v1.3.8.

Workarounds

Restricting which hosts MMR is allowed to contact via (local) firewall rules or a transparent proxy.

References

https://owasp.org/www-community/attacks/Server_Side_Request_Forgery https://learn.snyk.io/lesson/ssrf-server-side-request-forgery/ https://www.agwa.name/blog/post/preventing_server_side_request_forgery_in_golang

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.3.7"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/t2bot/matrix-media-repo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.3.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-52602"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-01-16T19:35:02Z",
    "nvd_published_at": "2025-01-16T20:15:32Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nMatrix Media Repo (MMR) is vulnerable to server-side request forgery, serving content from a private network it can access, under certain conditions.\n\n### Patches\nThis is fixed in [MMR v1.3.8](https://github.com/t2bot/matrix-media-repo/releases/tag/v1.3.8).\n\n### Workarounds\nRestricting which hosts MMR is allowed to contact via (local) firewall rules or a transparent proxy.\n\n### References\nhttps://owasp.org/www-community/attacks/Server_Side_Request_Forgery\nhttps://learn.snyk.io/lesson/ssrf-server-side-request-forgery/\nhttps://www.agwa.name/blog/post/preventing_server_side_request_forgery_in_golang",
  "id": "GHSA-r6jg-jfv6-2fjv",
  "modified": "2025-08-20T17:40:09Z",
  "published": "2025-01-16T19:35:02Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/t2bot/matrix-media-repo/security/advisories/GHSA-r6jg-jfv6-2fjv"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52602"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/t2bot/matrix-media-repo"
    },
    {
      "type": "WEB",
      "url": "https://github.com/t2bot/matrix-media-repo/releases/tag/v1.3.8"
    },
    {
      "type": "WEB",
      "url": "https://learn.snyk.io/lesson/ssrf-server-side-request-forgery"
    },
    {
      "type": "WEB",
      "url": "https://owasp.org/www-community/attacks/Server_Side_Request_Forgery"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2025-3399"
    },
    {
      "type": "WEB",
      "url": "https://www.agwa.name/blog/post/preventing_server_side_request_forgery_in_golang"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Matrix Media Repo (MMR) allows Server-Side Request Forgery (SSRF) on redirects and federation"
}

GHSA-R6M2-CJ32-WG84

Vulnerability from github – Published: 2023-10-09 09:30 – Updated: 2024-02-01 03:30
VLAI
Details

The web interface of ATX Ucrypt through 3.5 allows authenticated users (or attackers using default credentials for the admin, master, or user account) to include files via a URL in the /hydra/view/get_cc_url url parameter. There can be resultant SSRF.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-39854"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-10-09T07:15:24Z",
    "severity": "MODERATE"
  },
  "details": "The web interface of ATX Ucrypt through 3.5 allows authenticated users (or attackers using default credentials for the admin, master, or user account) to include files via a URL in the /hydra/view/get_cc_url url parameter. There can be resultant SSRF.",
  "id": "GHSA-r6m2-cj32-wg84",
  "modified": "2024-02-01T03:30:22Z",
  "published": "2023-10-09T09:30:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39854"
    },
    {
      "type": "WEB",
      "url": "https://wiki.notveg.ninja/blog/CVE-2023-39854"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R6M7-VHGH-X9QF

Vulnerability from github – Published: 2026-03-05 06:30 – Updated: 2026-03-05 21:30
VLAI
Details

Server-Side Request Forgery (SSRF) vulnerability in SkatDesign Ratatouille ratatouille allows Server Side Request Forgery.This issue affects Ratatouille: from n/a through <= 1.2.6.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-28036"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-05T06:16:36Z",
    "severity": "MODERATE"
  },
  "details": "Server-Side Request Forgery (SSRF) vulnerability in SkatDesign Ratatouille ratatouille allows Server Side Request Forgery.This issue affects Ratatouille: from n/a through \u003c= 1.2.6.",
  "id": "GHSA-r6m7-vhgh-x9qf",
  "modified": "2026-03-05T21:30:43Z",
  "published": "2026-03-05T06:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28036"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/Wordpress/Theme/ratatouille/vulnerability/wordpress-ratatouille-theme-1-2-6-server-side-request-forgery-ssrf-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R747-33R4-RMJW

Vulnerability from github – Published: 2026-05-06 21:31 – Updated: 2026-05-11 16:12
VLAI
Summary
Duplicate Advisory: OpenClaw: QQBot direct media upload skipped URL SSRF validation
Details

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-c4qg-j8jg-42q5. This link is maintained to preserve external references.

Original Description

OpenClaw before 2026.4.20 contains a server-side request forgery vulnerability in QQBot direct media upload that skips URL validation. Attackers can bypass SSRF protections by sending crafted image URLs to uploadC2CMedia and uploadGroupMedia endpoints to relay unintended requests.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.4.20"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-11T16:12:55Z",
    "nvd_published_at": "2026-05-06T20:16:35Z",
    "severity": "MODERATE"
  },
  "details": "### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-c4qg-j8jg-42q5. This link is maintained to preserve external references.\n\n### Original Description\nOpenClaw before 2026.4.20 contains a server-side request forgery vulnerability in QQBot direct media upload that skips URL validation. Attackers can bypass SSRF protections by sending crafted image URLs to uploadC2CMedia and uploadGroupMedia endpoints to relay unintended requests.",
  "id": "GHSA-r747-33r4-rmjw",
  "modified": "2026-05-11T16:12:55Z",
  "published": "2026-05-06T21:31:42Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-c4qg-j8jg-42q5"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44117"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/49db424c8001f2f419aad85f434894d8d85c1a09"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openclaw-server-side-request-forgery-in-qqbot-direct-media-upload"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Duplicate Advisory: OpenClaw: QQBot direct media upload skipped URL SSRF validation",
  "withdrawn": "2026-05-11T16:12:55Z"
}

GHSA-R7M8-874R-4G5V

Vulnerability from github – Published: 2026-03-30 21:31 – Updated: 2026-03-30 21:31
VLAI
Details

Invoice Ninja v5.12.46 and v5.12.48 is vulnerable to Server-Side Request Forgery (SSRF) in CheckDatabaseRequest.php.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-29925"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-30T19:16:24Z",
    "severity": "HIGH"
  },
  "details": "Invoice Ninja v5.12.46 and v5.12.48 is vulnerable to Server-Side Request Forgery (SSRF) in CheckDatabaseRequest.php.",
  "id": "GHSA-r7m8-874r-4g5v",
  "modified": "2026-03-30T21:31:04Z",
  "published": "2026-03-30T21:31:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29925"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/TrekLaps/5b2c72106d950dab0cd1897eb93200f1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/invoiceninja/invoiceninja/blob/v5-stable/app/Http/Requests/Setup/CheckDatabaseRequest.php"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R7QF-PRJ4-7JHP

Vulnerability from github – Published: 2022-05-14 03:38 – Updated: 2022-05-14 03:38
VLAI
Details

A Server Side Request Forgery vulnerability exists in the install app process in Sandstorm before build 0.203. A remote attacker may exploit this issue by providing a URL. It could bypass access control such as firewalls that prevent the attackers from accessing the URLs directly.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-6201"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-02-06T16:29:00Z",
    "severity": "HIGH"
  },
  "details": "A Server Side Request Forgery vulnerability exists in the install app process in Sandstorm before build 0.203. A remote attacker may exploit this issue by providing a URL. It could bypass access control such as firewalls that prevent the attackers from accessing the URLs directly.",
  "id": "GHSA-r7qf-prj4-7jhp",
  "modified": "2022-05-14T03:38:26Z",
  "published": "2022-05-14T03:38:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-6201"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sandstorm-io/sandstorm/commit/164997fb958effbc90c5328c166706280a84aaa1"
    },
    {
      "type": "WEB",
      "url": "https://devco.re/blog/2018/01/26/Sandstorm-Security-Review-CVE-2017-6200-en"
    },
    {
      "type": "WEB",
      "url": "https://sandstorm.io/news/2017-03-02-security-review"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R7W5-7G5J-XMXJ

Vulnerability from github – Published: 2023-10-23 21:30 – Updated: 2024-04-04 08:53
VLAI
Details

umputun remark42 version 1.12.1 and before has a Blind Server-Side Request Forgery (SSRF) vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-45966"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-10-23T21:15:08Z",
    "severity": "HIGH"
  },
  "details": "umputun remark42 version 1.12.1 and before has a Blind Server-Side Request Forgery (SSRF) vulnerability.",
  "id": "GHSA-r7w5-7g5j-xmxj",
  "modified": "2024-04-04T08:53:37Z",
  "published": "2023-10-23T21:30:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45966"
    },
    {
      "type": "WEB",
      "url": "https://github.com/umputun/remark42/issues/1677"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jet-pentest/CVE-2023-45966"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

CAPEC-664: Server Side Request Forgery

An adversary exploits improper input validation by submitting maliciously crafted input to a target application running on a server, with the goal of forcing the server to make a request either to itself, to web services running in the server’s internal network, or to external third parties. If successful, the adversary’s request will be made with the server’s privilege level, bypassing its authentication controls. This ultimately allows the adversary to access sensitive data, execute commands on the server’s network, and make external requests with the stolen identity of the server. Server Side Request Forgery attacks differ from Cross Site Request Forgery attacks in that they target the server itself, whereas CSRF attacks exploit an insecure user authentication mechanism to perform unauthorized actions on the user's behalf.