CWE-918
AllowedServer-Side Request Forgery (SSRF)
Abstraction: Base · Status: Incomplete
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
4628 vulnerabilities reference this CWE, most recent first.
GHSA-VM4J-2MRW-2C59
Vulnerability from github – Published: 2022-05-24 17:31 – Updated: 2026-07-05 00:31A SSRF vulnerability exists in the downloadimage interface of CRMEB 3.0, which can remotely download arbitrary files on the server and remotely execute arbitrary code.
{
"affected": [],
"aliases": [
"CVE-2020-25466"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-10-23T15:15:00Z",
"severity": "CRITICAL"
},
"details": "A SSRF vulnerability exists in the downloadimage interface of CRMEB 3.0, which can remotely download arbitrary files on the server and remotely execute arbitrary code.",
"id": "GHSA-vm4j-2mrw-2c59",
"modified": "2026-07-05T00:31:15Z",
"published": "2022-05-24T17:31:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25466"
},
{
"type": "WEB",
"url": "https://github.com/crmeb/CRMEB/issues/22"
},
{
"type": "WEB",
"url": "https://github.com/crmeb/CRMEB"
},
{
"type": "WEB",
"url": "http://crmeb.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VM77-MR48-27WJ
Vulnerability from github – Published: 2025-03-23 15:30 – Updated: 2025-09-26 21:27Versions of the package nossrf before 1.0.4 are vulnerable to Server-Side Request Forgery (SSRF), where an attacker can provide a hostname that resolves to a local or reserved IP address space and bypass the SSRF protection mechanism.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "nossrf"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-2691"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2025-03-25T16:30:30Z",
"nvd_published_at": "2025-03-23T15:15:13Z",
"severity": "HIGH"
},
"details": "Versions of the package nossrf before 1.0.4 are vulnerable to Server-Side Request Forgery (SSRF), where an attacker can provide a hostname that resolves to a local or reserved IP address space and bypass the SSRF protection mechanism.",
"id": "GHSA-vm77-mr48-27wj",
"modified": "2025-09-26T21:27:59Z",
"published": "2025-03-23T15:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2691"
},
{
"type": "WEB",
"url": "https://security.snyk.io/vuln/SNYK-JS-NOSSRF-9510842"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "nossrf Server-Side Request Forgery (SSRF)"
}
GHSA-VMC4-9828-R48R
Vulnerability from github – Published: 2026-01-08 21:36 – Updated: 2026-01-11 14:55Impact
A vulnerability in Ghost’s media inliner mechanism allows staff users in possession of a valid authentication token for the Ghost Admin API to exfiltrate data from internal systems via SSRF.
Vulnerable versions
This vulnerability is present in Ghost v5.38.0 to v5.130.5 to and Ghost v6.0.0 to v6.10.3.
Patches
v5.130.6 and v6.11.0 contain a fix for this issue.
References
Ghost thanks Sho Odagiri of GMO Cybersecurity by Ierae, Inc. for discovering and disclosing this vulnerability responsibly.
For more information
If there are any questions or comments about this advisory, email Ghost at security@ghost.org.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 6.10.3"
},
"package": {
"ecosystem": "npm",
"name": "ghost"
},
"ranges": [
{
"events": [
{
"introduced": "6.0.0"
},
{
"fixed": "6.11.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 5.130.5"
},
"package": {
"ecosystem": "npm",
"name": "ghost"
},
"ranges": [
{
"events": [
{
"introduced": "5.105.0"
},
{
"fixed": "5.130.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-22597"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2026-01-08T21:36:03Z",
"nvd_published_at": "2026-01-10T03:15:50Z",
"severity": "MODERATE"
},
"details": "### Impact\nA vulnerability in Ghost\u2019s media inliner mechanism allows staff users in possession of a valid authentication token for the Ghost Admin API to exfiltrate data from internal systems via SSRF.\n\n### Vulnerable versions\nThis vulnerability is present in Ghost v5.38.0 to v5.130.5 to and Ghost v6.0.0 to v6.10.3.\n\n### Patches\nv5.130.6 and v6.11.0 contain a fix for this issue.\n\n### References\nGhost thanks Sho Odagiri of GMO Cybersecurity by Ierae, Inc. for discovering and disclosing this vulnerability responsibly.\n\n### For more information\nIf there are any questions or comments about this advisory, email Ghost at [security@ghost.org](mailto:security@ghost.org).",
"id": "GHSA-vmc4-9828-r48r",
"modified": "2026-01-11T14:55:24Z",
"published": "2026-01-08T21:36:03Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/TryGhost/Ghost/security/advisories/GHSA-vmc4-9828-r48r"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22597"
},
{
"type": "WEB",
"url": "https://github.com/TryGhost/Ghost/commit/15d49131ff4aac3aca8642501c793f01f2bfcbb9"
},
{
"type": "WEB",
"url": "https://github.com/TryGhost/Ghost/commit/93add549ccf079d8e28bdb724fbb71a76942ff51"
},
{
"type": "PACKAGE",
"url": "https://github.com/TryGhost/Ghost"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Ghost has SSRF via External Media Inliner"
}
GHSA-VMFC-9982-2M45
Vulnerability from github – Published: 2026-07-07 23:46 – Updated: 2026-07-07 23:46Impact
Weblate's VCS_RESTRICT_PRIVATE did not properly account for some transitional IPv6 ranges, multicast addresses, or some semi-private IPv4 ranges, which allowed some addresses to bypass private range restrictions.
Patches
- https://github.com/WeblateOrg/weblate/pull/19768
Resources
The issue was reported by @tonghuaroot via GitHub, and the same user also provided the initial patch.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "weblate"
},
"ranges": [
{
"events": [
{
"introduced": "5.15"
},
{
"fixed": "2026.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-50127"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-07T23:46:33Z",
"nvd_published_at": "2026-06-10T20:17:29Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nWeblate\u0027s `VCS_RESTRICT_PRIVATE` did not properly account for some transitional IPv6 ranges, multicast addresses, or some semi-private IPv4 ranges, which allowed some addresses to bypass private range restrictions.\n\n### Patches\n\n* https://github.com/WeblateOrg/weblate/pull/19768\n\n### Resources\n\nThe issue was reported by @tonghuaroot via GitHub, and the same user also provided the initial patch.",
"id": "GHSA-vmfc-9982-2m45",
"modified": "2026-07-07T23:46:33Z",
"published": "2026-07-07T23:46:33Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-vmfc-9982-2m45"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-50127"
},
{
"type": "WEB",
"url": "https://github.com/WeblateOrg/weblate/pull/19768"
},
{
"type": "PACKAGE",
"url": "https://github.com/WeblateOrg/weblate"
},
{
"type": "WEB",
"url": "https://github.com/WeblateOrg/weblate/releases/tag/weblate-2026.6"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Weblate SSRF: outbound URL guard misses some private ranges"
}
GHSA-VMH7-9C7H-2PGG
Vulnerability from github – Published: 2026-04-27 21:31 – Updated: 2026-05-06 18:29A vulnerability was found in dh1011 auto-favicon up to f189116a9259950c2393f114dbcb94dde0ad864b. This issue affects the function generate_favicon_from_url of the file src/auto_favicon/server.py of the component MCP Tool. The manipulation of the argument image_url results in server-side request forgery. The attack may be performed from remote. The exploit has been made public and could be used. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The project was informed of the problem early through an issue report but has yet to receive a response.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "auto-favicon"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.0.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-7150"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-06T18:29:24Z",
"nvd_published_at": "2026-04-27T19:17:00Z",
"severity": "LOW"
},
"details": "A vulnerability was found in dh1011 auto-favicon up to f189116a9259950c2393f114dbcb94dde0ad864b. This issue affects the function generate_favicon_from_url of the file src/auto_favicon/server.py of the component MCP Tool. The manipulation of the argument image_url results in server-side request forgery. The attack may be performed from remote. The exploit has been made public and could be used. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The project was informed of the problem early through an issue report but has yet to receive a response.",
"id": "GHSA-vmh7-9c7h-2pgg",
"modified": "2026-05-06T18:29:24Z",
"published": "2026-04-27T21:31:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-7150"
},
{
"type": "WEB",
"url": "https://github.com/dh1011/auto-favicon-mcp/issues/2"
},
{
"type": "PACKAGE",
"url": "https://github.com/dh1011/auto-favicon-mcp"
},
{
"type": "WEB",
"url": "https://vuldb.com/submit/802054"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/359749"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/359749/cti"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "auto-favicon has a Server-Side Request Forgery issue"
}
GHSA-VP8W-WJ4M-3R7J
Vulnerability from github – Published: 2026-01-05 21:30 – Updated: 2026-01-05 23:15A Blind Server-Side Request Forgery (SSRF) vulnerability in evershop 2.1.0 and prior allows unauthenticated attackers to force the server to initiate an HTTP request via the "GET /images" API. The vulnerability occurs due to insufficient validation of the "src" query parameter, which permits arbitrary HTTP or HTTPS URIs, resulting in unexpected requests against internal and external networks.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@evershop/evershop"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2.1.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-67427"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2026-01-05T23:15:41Z",
"nvd_published_at": "2026-01-05T20:16:03Z",
"severity": "MODERATE"
},
"details": "A Blind Server-Side Request Forgery (SSRF) vulnerability in evershop 2.1.0 and prior allows unauthenticated attackers to force the server to initiate an HTTP request via the \"GET /images\" API. The vulnerability occurs due to insufficient validation of the \"src\" query parameter, which permits arbitrary HTTP or HTTPS URIs, resulting in unexpected requests against internal and external networks.",
"id": "GHSA-vp8w-wj4m-3r7j",
"modified": "2026-01-05T23:15:41Z",
"published": "2026-01-05T21:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67427"
},
{
"type": "WEB",
"url": "https://github.com/dos-m0nk3y/CVE/tree/main/CVE-2025-67427"
},
{
"type": "PACKAGE",
"url": "https://github.com/evershopcommerce/evershop"
},
{
"type": "WEB",
"url": "https://pages.dos-m0nk3y.com/blog/EverShop%202.1.0%20-%20Unauthenticated%20DoS/#server-side-request-forgery-ssrf-cve-2025-67427"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "evershop allows unauthenticated attackers to force server to initiate HTTP request via \"GET /images\" API"
}
GHSA-VPFF-M9VH-PV4H
Vulnerability from github – Published: 2024-03-01 12:30 – Updated: 2024-03-10 03:30A vulnerability was found in Harrison Chase LangChain 0.1.9. It has been classified as critical. Affected is the function load_local in the library libs/community/langchain_community/retrievers/tfidf.py. The manipulation leads to server-side request forgery. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-255372.
{
"affected": [],
"aliases": [
"CVE-2024-2057"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-01T12:15:48Z",
"severity": "MODERATE"
},
"details": "A vulnerability was found in Harrison Chase LangChain 0.1.9. It has been classified as critical. Affected is the function load_local in the library libs/community/langchain_community/retrievers/tfidf.py. The manipulation leads to server-side request forgery. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-255372.",
"id": "GHSA-vpff-m9vh-pv4h",
"modified": "2024-03-10T03:30:45Z",
"published": "2024-03-01T12:30:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2057"
},
{
"type": "WEB",
"url": "https://github.com/langchain-ai/langchain/pull/18695"
},
{
"type": "WEB",
"url": "https://github.com/bayuncao/vul-cve-16"
},
{
"type": "WEB",
"url": "https://github.com/bayuncao/vul-cve-16/tree/main/PoC.pkl"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.255372"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.255372"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-VPJ2-MH86-XPMV
Vulnerability from github – Published: 2024-05-14 21:34 – Updated: 2024-05-14 21:34In WhatsUp Gold versions released before 2023.1.2 ,
a blind SSRF vulnerability exists in Whatsup Gold's FaviconController that allows an attacker to send arbitrary HTTP requests on behalf of the vulnerable server.
{
"affected": [],
"aliases": [
"CVE-2024-4561"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-14T21:15:13Z",
"severity": "MODERATE"
},
"details": "\nIn WhatsUp Gold versions released before 2023.1.2 , \n\na blind SSRF vulnerability exists in Whatsup Gold\u0027s FaviconController that allows an attacker to send arbitrary HTTP requests on behalf of the vulnerable server.\n\n",
"id": "GHSA-vpj2-mh86-xpmv",
"modified": "2024-05-14T21:34:44Z",
"published": "2024-05-14T21:34:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4561"
},
{
"type": "WEB",
"url": "https://community.progress.com/s/article/Announcing-WhatsUp-Gold-v2023-1-2"
},
{
"type": "WEB",
"url": "https://www.progress.com/network-monitoring"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VPJF-Q5Q9-W837
Vulnerability from github – Published: 2026-01-28 06:30 – Updated: 2026-01-28 06:30The TableMaster for Elementor plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.3.6. This is due to the plugin not restricting which URLs can be fetched when importing CSV data from a URL in the Data Table widget. This makes it possible for authenticated attackers, with Author-level access and above, to make web requests to arbitrary locations, including localhost and internal network services, and read sensitive files such as wp-config.php via the 'csv_url' parameter.
{
"affected": [],
"aliases": [
"CVE-2025-14610"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-28T06:15:48Z",
"severity": "HIGH"
},
"details": "The TableMaster for Elementor plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.3.6. This is due to the plugin not restricting which URLs can be fetched when importing CSV data from a URL in the Data Table widget. This makes it possible for authenticated attackers, with Author-level access and above, to make web requests to arbitrary locations, including localhost and internal network services, and read sensitive files such as wp-config.php via the \u0027csv_url\u0027 parameter.",
"id": "GHSA-vpjf-q5q9-w837",
"modified": "2026-01-28T06:30:31Z",
"published": "2026-01-28T06:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14610"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/tablemaster-for-elementor/tags/1.3.6/modules/data-table/widgets/data-table.php#L446"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/tablemaster-for-elementor/trunk/modules/data-table/widgets/data-table.php#L446"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3442158%40tablemaster-for-elementor\u0026new=3442158%40tablemaster-for-elementor\u0026sfp_email=\u0026sfph_mail="
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ef07d6b0-ccdb-4b33-817f-6d4b3ad96243?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VPWG-HJ8F-G57P
Vulnerability from github – Published: 2026-07-14 18:32 – Updated: 2026-07-14 18:32Server-side request forgery (ssrf) in Microsoft Office SharePoint allows an authorized attacker to disclose information over a network.
{
"affected": [],
"aliases": [
"CVE-2026-55051"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-14T18:18:17Z",
"severity": "MODERATE"
},
"details": "Server-side request forgery (ssrf) in Microsoft Office SharePoint allows an authorized attacker to disclose information over a network.",
"id": "GHSA-vpwg-hj8f-g57p",
"modified": "2026-07-14T18:32:34Z",
"published": "2026-07-14T18:32:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-55051"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-55051"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
CAPEC-664: Server Side Request Forgery
An adversary exploits improper input validation by submitting maliciously crafted input to a target application running on a server, with the goal of forcing the server to make a request either to itself, to web services running in the server’s internal network, or to external third parties. If successful, the adversary’s request will be made with the server’s privilege level, bypassing its authentication controls. This ultimately allows the adversary to access sensitive data, execute commands on the server’s network, and make external requests with the stolen identity of the server. Server Side Request Forgery attacks differ from Cross Site Request Forgery attacks in that they target the server itself, whereas CSRF attacks exploit an insecure user authentication mechanism to perform unauthorized actions on the user's behalf.