CWE-918
AllowedServer-Side Request Forgery (SSRF)
Abstraction: Base · Status: Incomplete
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
4615 vulnerabilities reference this CWE, most recent first.
GHSA-WJCC-PPW7-7WF4
Vulnerability from github – Published: 2022-05-17 00:19 – Updated: 2022-05-17 00:19I, Librarian version <=4.6 & 4.7 is vulnerable to Server-Side Request Forgery in the ajaxsupplement.php resulting in the attacker being able to reset any user's password.
{
"affected": [],
"aliases": [
"CVE-2017-1000237"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-11-17T04:29:00Z",
"severity": "CRITICAL"
},
"details": "I, Librarian version \u003c=4.6 \u0026 4.7 is vulnerable to Server-Side Request Forgery in the ajaxsupplement.php resulting in the attacker being able to reset any user\u0027s password.",
"id": "GHSA-wjcc-ppw7-7wf4",
"modified": "2022-05-17T00:19:56Z",
"published": "2022-05-17T00:19:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000237"
},
{
"type": "WEB",
"url": "https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20170509-0_I_Librarian_Multiple_vulnerabilities_v10.txt"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WJF6-53J2-2F8C
Vulnerability from github – Published: 2026-04-02 09:30 – Updated: 2026-04-02 09:30The Webmention plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.6.2 via the 'Tools::read' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
{
"affected": [],
"aliases": [
"CVE-2026-0688"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-02T08:16:28Z",
"severity": "MODERATE"
},
"details": "The Webmention plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.6.2 via the \u0027Tools::read\u0027 function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.",
"id": "GHSA-wjf6-53j2-2f8c",
"modified": "2026-04-02T09:30:24Z",
"published": "2026-04-02T09:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0688"
},
{
"type": "WEB",
"url": "https://github.com/pfefferle/wordpress-webmention/blob/057223cee18a9e93b017d0f21db6ea77a7686489/includes/class-tools.php#L81"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/webmention/tags/5.6.2/includes/class-tools.php#L81"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3494831/webmention"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/02c9beba-dfa5-4a30-8355-62ff9a2630f7?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WJFP-3H3Q-724P
Vulnerability from github – Published: 2025-06-26 21:31 – Updated: 2025-06-26 21:31An unauthenticated attacker may perform a limited server side request forgery (SSRF), forcing the target device to open a TCP connection to an arbitrary port number on an arbitrary IP address. This SSRF leverages the WS-Addressing ReplyTo element in a Web service (HTTP TCP port 80) SOAP request. The attacker can not control the data sent in the SSRF connection, nor can the attacker receive any data back. This SSRF is suitable for TCP port scanning of an internal network when the Web service (HTTP TCP port 80) is exposed across a network segment.
{
"affected": [],
"aliases": [
"CVE-2024-51980"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-25T08:15:31Z",
"severity": "MODERATE"
},
"details": "An unauthenticated attacker may perform a limited server side request forgery (SSRF), forcing the target device to open a TCP connection to an arbitrary port number on an arbitrary IP address. This SSRF leverages the WS-Addressing ReplyTo element in a Web service (HTTP TCP port 80) SOAP request. The attacker can not control the data sent in the SSRF connection, nor can the attacker receive any data back. This SSRF is suitable for TCP port scanning of an internal network when the Web service (HTTP TCP port 80) is exposed across a network segment.",
"id": "GHSA-wjfp-3h3q-724p",
"modified": "2025-06-26T21:31:10Z",
"published": "2025-06-26T21:31:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-51980"
},
{
"type": "WEB",
"url": "https://assets.contentstack.io/v3/assets/blte4f029e766e6b253/blt6495b3c6adf2867f/685aa980a26c5e2b1026969c/vulnerability-disclosure-whitepaper.pdf"
},
{
"type": "WEB",
"url": "https://github.com/sfewer-r7/BrotherVulnerabilities"
},
{
"type": "WEB",
"url": "https://support.brother.com/g/b/link.aspx?prod=group2\u0026faqid=faq00100846_000"
},
{
"type": "WEB",
"url": "https://support.brother.com/g/b/link.aspx?prod=group2\u0026faqid=faq00100848_000"
},
{
"type": "WEB",
"url": "https://support.brother.com/g/b/link.aspx?prod=lmgroup1\u0026faqid=faqp00100620_000"
},
{
"type": "WEB",
"url": "https://www.fujifilm.com/fbglobal/eng/company/news/notice/2025/0625_announce.html"
},
{
"type": "WEB",
"url": "https://www.konicaminolta.com/global-en/security/advisory/pdf/km-2025-0001.pdf"
},
{
"type": "WEB",
"url": "https://www.rapid7.com/blog/post/multiple-brother-devices-multiple-vulnerabilities-fixed"
},
{
"type": "WEB",
"url": "https://www.ricoh.com/products/security/vulnerabilities/vul?id=ricoh-2025-000007"
},
{
"type": "WEB",
"url": "https://www.toshibatec.com/information/20250625_02.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WJH7-PGPR-92W5
Vulnerability from github – Published: 2025-05-29 21:31 – Updated: 2025-05-29 21:31A vulnerability was found in chshcms mccms 2.7. It has been classified as critical. This affects the function index of the file sys/apps/controllers/api/Gf.php. The manipulation of the argument pic leads to server-side request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2025-5327"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-29T21:15:26Z",
"severity": "MODERATE"
},
"details": "A vulnerability was found in chshcms mccms 2.7. It has been classified as critical. This affects the function index of the file sys/apps/controllers/api/Gf.php. The manipulation of the argument pic leads to server-side request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-wjh7-pgpr-92w5",
"modified": "2025-05-29T21:31:37Z",
"published": "2025-05-29T21:31:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5327"
},
{
"type": "WEB",
"url": "https://github.com/caigo8/CVE-md/blob/main/Mccms_V2.7/%E5%89%8D%E5%8F%B0SSRF.md"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.310497"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.310497"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.582295"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-WJJQ-8G3W-MGM9
Vulnerability from github – Published: 2022-12-29 21:30 – Updated: 2023-01-09 18:30Protections against potential Server-Side Request Forgery (SSRF) vulnerabilities in Esri Portal for ArcGIS versions 10.9.1 and below were not fully honored and may allow a remote, unauthenticated attacker to forge requests to arbitrary URLs from the system, potentially leading to network enumeration or reading from hosts inside the network perimeter, a different issue than CVE-2022-38211 and CVE-2022-38212.
{
"affected": [],
"aliases": [
"CVE-2022-38211"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-12-29T20:15:00Z",
"severity": "HIGH"
},
"details": "Protections against potential Server-Side Request Forgery (SSRF) vulnerabilities in Esri Portal for ArcGIS versions 10.9.1 and below were not fully honored and may allow a remote, unauthenticated attacker to forge requests to arbitrary URLs from the system, potentially leading to network enumeration or reading from hosts inside the network perimeter, a different issue than CVE-2022-38211 and CVE-2022-38212.",
"id": "GHSA-wjjq-8g3w-mgm9",
"modified": "2023-01-09T18:30:18Z",
"published": "2022-12-29T21:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38211"
},
{
"type": "WEB",
"url": "https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-security-2022-update-2-patch-is-now-available"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WJR8-MJPF-7CH7
Vulnerability from github – Published: 2023-06-15 21:30 – Updated: 2024-04-04 04:52In multiple functions of ChooserActivity.java, there is a possible cross-user media read due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-12 Android-12L Android-13Android ID: A-261036568
{
"affected": [],
"aliases": [
"CVE-2023-21105"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-15T19:15:09Z",
"severity": "MODERATE"
},
"details": "In multiple functions of ChooserActivity.java, there is a possible cross-user media read due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-12 Android-12L Android-13Android ID: A-261036568",
"id": "GHSA-wjr8-mjpf-7ch7",
"modified": "2024-04-04T04:52:12Z",
"published": "2023-06-15T21:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-21105"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2023-06-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WJRH-HJ83-3WH7
Vulnerability from github – Published: 2025-05-27 18:03 – Updated: 2025-05-27 18:03Impact
Instances of HeavySelect2Mixin subclasses like the ModelSelect2MultipleWidget and ModelSelect2Widget can secret access tokens across requests. This can allow users to access restricted querysets and restricted data.
Patches
The problem has been patched in version 8.4.1 and all following versions.
Workarounds
This vulnerability is limited use cases where instances of widget classes are created during app loading (not during a request).
Example of affected code:
class MyForm(forms.ModelForm):
class Meta:
widgets = {"my_select_field": Select2ModelWidget()}
Django allows you to pass just the widget class (not the instance). This can be used to mitigate the session request leak.
Example of affected code:
class MyForm(forms.ModelForm):
class Meta:
widgets = {"my_select_field": Select2ModelWidget}
References
Thanks to @neartik for reporting this issue. I will address it later. I had to delete your issue, to avoid exploitation of this security issue.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "django-select2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.4.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-48383"
],
"database_specific": {
"cwe_ids": [
"CWE-402",
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2025-05-27T18:03:19Z",
"nvd_published_at": "2025-05-27T15:15:35Z",
"severity": "HIGH"
},
"details": "### Impact\n\nInstances of `HeavySelect2Mixin` subclasses like the `ModelSelect2MultipleWidget` and `ModelSelect2Widget` can secret access tokens across requests. This can allow users to access restricted querysets and restricted data.\n\n### Patches\n\nThe problem has been patched in version 8.4.1 and all following versions.\n\n### Workarounds\n\nThis vulnerability is limited use cases where instances of widget classes are created during app loading (not during a request).\n\nExample of affected code:\n```python\nclass MyForm(forms.ModelForm):\n class Meta:\n widgets = {\"my_select_field\": Select2ModelWidget()}\n```\n\nDjango allows you to pass just the widget class (not the instance). This can be used to mitigate the session request leak.\n\nExample of affected code:\n```python\nclass MyForm(forms.ModelForm):\n class Meta:\n widgets = {\"my_select_field\": Select2ModelWidget}\n```\n\n\n\n### References\n\nThanks to @neartik for reporting this issue. I will address it later. I had to delete your issue, to avoid exploitation of this security issue.",
"id": "GHSA-wjrh-hj83-3wh7",
"modified": "2025-05-27T18:03:19Z",
"published": "2025-05-27T18:03:19Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/codingjoe/django-select2/security/advisories/GHSA-wjrh-hj83-3wh7"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48383"
},
{
"type": "WEB",
"url": "https://github.com/codingjoe/django-select2/commit/e5f41e6edba004d35f94915ff5e2559f44853412"
},
{
"type": "PACKAGE",
"url": "https://github.com/codingjoe/django-select2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Django-Select2 Vulnerable to Widget Instance Secret Cache Key Leaking"
}
GHSA-WM69-2PC3-RMMF
Vulnerability from github – Published: 2026-06-18 17:25 – Updated: 2026-06-18 17:25Summary
The Docker API server applied its SSRF destination check (validate_url_destination) on the non-streaming /crawl path but not on the streaming path. handle_stream_crawl_request passed seed URLs straight to the crawler with no destination validation. A remote, unauthenticated client could call POST /crawl/stream (or POST /crawl with crawler_config.stream=true, which short-circuits to the same handler) with a URL pointing at an internal, private, or link-local address; the server fetched it and streamed the response body back. The Docker API is unauthenticated by default.
Affected paths
POST /crawl/stream, and POST /crawl with crawler_config.stream=true (both route to handle_stream_crawl_request, deploy/docker/api.py).
Impact
Unauthenticated read server-side request forgery: an attacker reads internal-only services and cloud-metadata endpoints (e.g. http://169.254.169.254/ for IAM credentials), with the response body streamed back. This is the same class and severity as the project's prior "SSRF via Direct Crawl Endpoints" advisory; /crawl/stream is part of that endpoint family and was never covered by the destination check.
Fix
handle_stream_crawl_request now validates every seed URL's destination with the same global-routability check as handle_crawl_request, before any fetch. The SSRF regression test was hardened to assert per-handler coverage (including the streaming handler) rather than a bare occurrence count, which previously let this gap pass.
Workarounds
- Upgrade to the patched version (0.9.0).
- Enable authentication and restrict who can reach the API (note: this does not constrain which URL the API fetches).
- Restrict the container's outbound network access (egress firewall / no metadata route).
Credits
KOH Jun Sheng - reported the streaming-path SSRF with a runnable PoC and noted the count-based regression test that masked it, plus the shared root cause with redirect/deep-crawl link following.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.8.9"
},
"package": {
"ecosystem": "PyPI",
"name": "crawl4ai"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.9.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-18T17:25:50Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\n\nThe Docker API server applied its SSRF destination check (`validate_url_destination`) on the non-streaming `/crawl` path but not on the streaming path. `handle_stream_crawl_request` passed seed URLs straight to the crawler with no destination validation. A remote, unauthenticated client could call `POST /crawl/stream` (or `POST /crawl` with `crawler_config.stream=true`, which short-circuits to the same handler) with a URL pointing at an internal, private, or link-local address; the server fetched it and streamed the response body back. The Docker API is unauthenticated by default.\n\n### Affected paths\n\n`POST /crawl/stream`, and `POST /crawl` with `crawler_config.stream=true` (both route to `handle_stream_crawl_request`, `deploy/docker/api.py`).\n\n### Impact\n\nUnauthenticated read server-side request forgery: an attacker reads internal-only services and cloud-metadata endpoints (e.g. `http://169.254.169.254/` for IAM credentials), with the response body streamed back. This is the same class and severity as the project\u0027s prior \"SSRF via Direct Crawl Endpoints\" advisory; `/crawl/stream` is part of that endpoint family and was never covered by the destination check.\n\n### Fix\n\n`handle_stream_crawl_request` now validates every seed URL\u0027s destination with the same global-routability check as `handle_crawl_request`, before any fetch. The SSRF regression test was hardened to assert per-handler coverage (including the streaming handler) rather than a bare occurrence count, which previously let this gap pass.\n\n### Workarounds\n\n- Upgrade to the patched version (0.9.0).\n- Enable authentication and restrict who can reach the API (note: this does not constrain which URL the API fetches).\n- Restrict the container\u0027s outbound network access (egress firewall / no metadata route).\n\n### Credits\n\nKOH Jun Sheng - reported the streaming-path SSRF with a runnable PoC and noted the count-based regression test that masked it, plus the shared root cause with redirect/deep-crawl link following.",
"id": "GHSA-wm69-2pc3-rmmf",
"modified": "2026-06-18T17:25:50Z",
"published": "2026-06-18T17:25:50Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/unclecode/crawl4ai/security/advisories/GHSA-wm69-2pc3-rmmf"
},
{
"type": "PACKAGE",
"url": "https://github.com/unclecode/crawl4ai"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Crawl4AI: Unauthenticated SSRF on the Docker server streaming crawl path (/crawl/stream)"
}
GHSA-WM7J-M6JM-8797
Vulnerability from github – Published: 2026-04-01 21:42 – Updated: 2026-04-06 17:24Details
Distinct from CVE-2025-59159 and CVE-2026-26286 (all fixed in v1.16.0). This endpoint is still unpatched.
In src/endpoints/search.js line 419, the hostname is checked against /^\d+\.\d+\.\d+\.\d+$/. This only matches literal dotted-quad IPv4 (e.g. 127.0.0.1, 10.0.0.1). It does not catch:
- localhost (hostname, not dotted-quad)
- [::1] (IPv6 loopback)
- DNS names resolving to internal addresses (e.g. localtest.me -> 127.0.0.1)
A separate port check (urlObj.port !== '') limits exploitation to services on default ports (80/443), making this lower severity than a fully unrestricted SSRF.
PoC
- Start SillyTavern v1.16.0 normally
- Send requests to compare blocked vs bypassed (requires a valid session cookie or CSRF disabled):
# Blocked — dotted-quad matched by regex
curl -s -o /dev/null -w "%{http_code}" -X POST http://127.0.0.1:8000/api/search/visit \
-H "Content-Type: application/json" \
-d '{"url": "http://127.0.0.1/", "html": true}'
# Returns: 400 (blocked)
# Bypassed — "localhost" is not dotted-quad
curl -s -o /dev/null -w "%{http_code}" -X POST http://127.0.0.1:8000/api/search/visit \
-H "Content-Type: application/json" \
-d '{"url": "http://localhost/", "html": true}'
# Returns: 500 (passed validation, fetch attempted, ECONNREFUSED because nothing on port 80)
# Bypassed — IPv6 loopback is not dotted-quad
curl -s -o /dev/null -w "%{http_code}" -X POST http://127.0.0.1:8000/api/search/visit \
-H "Content-Type: application/json" \
-d '{"url": "http://[::1]/", "html": true}'
# Returns: 500 (passed validation, fetch attempted)
The 400 vs 500 difference confirms localhost and [::1] pass the IP check. The 500 is ECONNREFUSED (nothing listening on port 80), not a validation rejection.
Impact
Server-side request forgery with partial restrictions. An authenticated user can force the server to fetch from internal hosts on default ports (80/443) using hostnames or IPv6 addresses that bypass the IP check. The full response body is returned. Lower severity than a fully unrestricted SSRF due to the port limitation.
Resolution
The issue was addressed in version 1.17.0 by improving IPv6 address validation
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.16.0"
},
"package": {
"ecosystem": "npm",
"name": "sillytavern"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.17.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-34526"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-01T21:42:24Z",
"nvd_published_at": "2026-04-02T18:16:29Z",
"severity": "MODERATE"
},
"details": "### Details\nDistinct from CVE-2025-59159 and CVE-2026-26286 (all fixed in v1.16.0). This endpoint is still unpatched.\n\nIn `src/endpoints/search.js` line 419, the hostname is checked against `/^\\d+\\.\\d+\\.\\d+\\.\\d+$/`. This only matches literal dotted-quad IPv4 (e.g. `127.0.0.1`, `10.0.0.1`). It does not catch:\n- `localhost` (hostname, not dotted-quad)\n- `[::1]` (IPv6 loopback)\n- DNS names resolving to internal addresses (e.g. `localtest.me` -\u003e 127.0.0.1)\n\nA separate port check (`urlObj.port !== \u0027\u0027`) limits exploitation to services on default ports (80/443), making this lower severity than a fully unrestricted SSRF.\n\n### PoC\n1. Start SillyTavern v1.16.0 normally\n2. Send requests to compare blocked vs bypassed (requires a valid session cookie or CSRF disabled):\n```bash\n# Blocked \u2014 dotted-quad matched by regex\ncurl -s -o /dev/null -w \"%{http_code}\" -X POST http://127.0.0.1:8000/api/search/visit \\\n -H \"Content-Type: application/json\" \\\n -d \u0027{\"url\": \"http://127.0.0.1/\", \"html\": true}\u0027\n# Returns: 400 (blocked)\n\n# Bypassed \u2014 \"localhost\" is not dotted-quad\ncurl -s -o /dev/null -w \"%{http_code}\" -X POST http://127.0.0.1:8000/api/search/visit \\\n -H \"Content-Type: application/json\" \\\n -d \u0027{\"url\": \"http://localhost/\", \"html\": true}\u0027\n# Returns: 500 (passed validation, fetch attempted, ECONNREFUSED because nothing on port 80)\n\n# Bypassed \u2014 IPv6 loopback is not dotted-quad\ncurl -s -o /dev/null -w \"%{http_code}\" -X POST http://127.0.0.1:8000/api/search/visit \\\n -H \"Content-Type: application/json\" \\\n -d \u0027{\"url\": \"http://[::1]/\", \"html\": true}\u0027\n# Returns: 500 (passed validation, fetch attempted)\n```\n\nThe 400 vs 500 difference confirms `localhost` and `[::1]` pass the IP check. The 500 is ECONNREFUSED (nothing listening on port 80), not a validation rejection.\n\n### Impact\nServer-side request forgery with partial restrictions. An authenticated user can force the server to fetch from internal hosts on default ports (80/443) using hostnames or IPv6 addresses that bypass the IP check. The full response body is returned. Lower severity than a fully unrestricted SSRF due to the port limitation.\n\n## Resolution\n\nThe issue was addressed in version 1.17.0 by improving IPv6 address validation",
"id": "GHSA-wm7j-m6jm-8797",
"modified": "2026-04-06T17:24:59Z",
"published": "2026-04-01T21:42:24Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/SillyTavern/SillyTavern/security/advisories/GHSA-wm7j-m6jm-8797"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34526"
},
{
"type": "PACKAGE",
"url": "https://github.com/SillyTavern/SillyTavern"
},
{
"type": "WEB",
"url": "https://github.com/SillyTavern/SillyTavern/releases/tag/1.17.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "SillyTavern: Incomplete IP validation in /api/search/visit allows SSRF via localhost and IPv6"
}
GHSA-WMG3-3G4F-J96J
Vulnerability from github – Published: 2022-05-24 17:49 – Updated: 2022-05-24 17:49OX App Suite 7.10.4 and earlier allows SSRF via a snippet.
{
"affected": [],
"aliases": [
"CVE-2020-28943"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-04-30T22:15:00Z",
"severity": "MODERATE"
},
"details": "OX App Suite 7.10.4 and earlier allows SSRF via a snippet.",
"id": "GHSA-wmg3-3g4f-j96j",
"modified": "2022-05-24T17:49:23Z",
"published": "2022-05-24T17:49:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28943"
},
{
"type": "WEB",
"url": "https://open-xchange.com"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/162406/OX-App-Suite-OX-Guard-SSRF-DoS-Cross-Site-Scripting.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
No mitigation information available for this CWE.
CAPEC-664: Server Side Request Forgery
An adversary exploits improper input validation by submitting maliciously crafted input to a target application running on a server, with the goal of forcing the server to make a request either to itself, to web services running in the server’s internal network, or to external third parties. If successful, the adversary’s request will be made with the server’s privilege level, bypassing its authentication controls. This ultimately allows the adversary to access sensitive data, execute commands on the server’s network, and make external requests with the stolen identity of the server. Server Side Request Forgery attacks differ from Cross Site Request Forgery attacks in that they target the server itself, whereas CSRF attacks exploit an insecure user authentication mechanism to perform unauthorized actions on the user's behalf.