CWE-918
AllowedServer-Side Request Forgery (SSRF)
Abstraction: Base · Status: Incomplete
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
4607 vulnerabilities reference this CWE, most recent first.
GHSA-X288-3778-4HHX
Vulnerability from github – Published: 2026-02-25 22:42 – Updated: 2026-02-25 22:42A Server-Side Request Forgery (SSRF) vulnerability has been identified in the Angular SSR request handling pipeline. The vulnerability exists because Angular’s internal URL reconstruction logic directly trusts and consumes user-controlled HTTP headers specifically the Host and X-Forwarded-* family to determine the application's base origin without any validation of the destination domain.
Specifically, the framework didn't have checks for the following:
- Host Domain: The Host and X-Forwarded-Host headers were not checked to belong to a trusted origin. This allows an attacker to redefine the "base" of the application to an arbitrary external domain.
- Path & Character Sanitization: The X-Forwarded-Host header was not checked for path segments or special characters, allowing manipulation of the base path for all resolved relative URLs.
- Port Validation: The X-Forwarded-Port header was not verified as numeric, leading to malformed URI construction or injection attacks.
This vulnerability manifests in two primary ways:
- Implicit Relative URL Resolution: Angular's
HttpClientresolves relative URLs against this unvalidated and potentially malformed base origin. An attacker can "steer" these requests to an external server or internal service. - Explicit Manual Construction: Developers injecting the
REQUESTobject to manually construct URLs (for fetch or third-party SDKs) directly inherit these unsanitized values. By accessing theHost/X-Forwarded-*headers, the application logic may perform requests to attacker-controlled destinations or malformed endpoints.
Impact
When successfully exploited, this vulnerability allows for arbitrary internal request steering. This can lead to:
- Credential Exfiltration: Stealing sensitive Authorization headers or session cookies by redirecting them to an attacker's server.
- Internal Network Probing: Accessing and transmitting data from internal services, databases, or cloud metadata endpoints (e.g., 169.254.169.254) not exposed to the public internet.
- Confidentiality Breach: Accessing sensitive information processed within the application's server-side context.
Attack Preconditions
- The victim application must use Angular SSR (Server-Side Rendering).
- The application must perform
HttpClientrequests using relative URLs OR manually construct URLs using the unvalidatedHost/X-Forwarded-*headers using theREQUESTobject. - Direct Header Access: The application server is reachable by an attacker who can influence these headers without strict validation from a front-facing proxy.
- Lack of Upstream Validation: The infrastructure (Cloud, CDN, or Load Balancer) does not sanitize or validate incoming headers.
Patches
- 21.2.0-rc.1
- 21.1.5
- 20.3.17
- 19.2.21
Workarounds
- Use Absolute URLs: Avoid using
req.headersfor URL construction. Instead, use trusted variables for your base API paths. - Implement Strict Header Validation (Middleware): If you cannot upgrade immediately, implement a middleware in your
server.tsto enforce numeric ports and validated hostnames.
const ALLOWED_HOSTS = new Set(['your-domain.com']);
app.use((req, res, next) => {
const hostHeader = (req.headers['x-forwarded-host'] ?? req.headers['host'])?.toString();
const portHeader = req.headers['x-forwarded-port']?.toString();
if (hostHeader) {
const hostname = hostHeader.split(':')[0];
// Reject if hostname contains path separators or is not in allowlist
if (/^[a-z0-9.:-]+$/i.test(hostname) ||
(!ALLOWED_HOSTS.has(hostname) && hostname !== 'localhost')) {
return res.status(400).send('Invalid Hostname');
}
}
// Ensure port is strictly numeric if provided
if (portHeader && !/^\d+$/.test(portHeader)) {
return res.status(400).send('Invalid Port');
}
next();
});
References
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c 21.2.0-rc.0"
},
"package": {
"ecosystem": "npm",
"name": "@angular/ssr"
},
"ranges": [
{
"events": [
{
"introduced": "21.2.0-next.0"
},
{
"fixed": "21.2.0-rc.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@angular/ssr"
},
"ranges": [
{
"events": [
{
"introduced": "21.0.0-next.0"
},
{
"fixed": "21.1.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@angular/ssr"
},
"ranges": [
{
"events": [
{
"introduced": "20.0.0-next.0"
},
{
"fixed": "20.3.17"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@angular/ssr"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "19.2.21"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@nguniversal/common"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "16.2.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@nguniversal/express-engine"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "16.2.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-27739"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-25T22:42:36Z",
"nvd_published_at": "2026-02-25T18:23:40Z",
"severity": "CRITICAL"
},
"details": "A [Server-Side Request Forgery (SSRF)](https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/SSRF) vulnerability has been identified in the Angular SSR request handling pipeline. The vulnerability exists because Angular\u2019s internal URL reconstruction logic directly trusts and consumes user-controlled HTTP headers specifically the Host and `X-Forwarded-*` family to determine the application\u0027s base origin without any validation of the destination domain.\n\nSpecifically, the framework didn\u0027t have checks for the following:\n- **Host Domain**: The `Host` and `X-Forwarded-Host` headers were not checked to belong to a trusted origin. This allows an attacker to redefine the \"base\" of the application to an arbitrary external domain.\n- **Path \u0026 Character Sanitization**: The `X-Forwarded-Host` header was not checked for path segments or special characters, allowing manipulation of the base path for all resolved relative URLs.\n- **Port Validation**: The `X-Forwarded-Port` header was not verified as numeric, leading to malformed URI construction or injection attacks.\n\n\nThis vulnerability manifests in two primary ways:\n\n- **Implicit Relative URL Resolution**: Angular\u0027s `HttpClient` resolves relative URLs against this unvalidated and potentially malformed base origin. An attacker can \"steer\" these requests to an external server or internal service.\n- **Explicit Manual Construction**: Developers injecting the `REQUEST` object to manually construct URLs (for fetch or third-party SDKs) directly inherit these unsanitized values. By accessing the `Host` / `X-Forwarded-*` headers, the application logic may perform requests to attacker-controlled destinations or malformed endpoints.\n\n### Impact\n\nWhen successfully exploited, this vulnerability allows for arbitrary internal request steering. This can lead to:\n- **Credential Exfiltration**: Stealing sensitive `Authorization` headers or session cookies by redirecting them to an attacker\u0027s server.\n- **Internal Network Probing**: Accessing and transmitting data from internal services, databases, or cloud metadata endpoints (e.g., `169.254.169.254`) not exposed to the public internet.\n- Confidentiality Breach: Accessing sensitive information processed within the application\u0027s server-side context.\n\n### Attack Preconditions\n\n- The victim application must use Angular SSR (Server-Side Rendering).\n- The application must perform `HttpClient` requests using relative URLs OR manually construct URLs using the unvalidated `Host` / `X-Forwarded-*` headers using the `REQUEST` object.\n- **Direct Header Access**: The application server is reachable by an attacker who can influence these headers without strict validation from a front-facing proxy.\n- **Lack of Upstream Validation**: The infrastructure (Cloud, CDN, or Load Balancer) does not sanitize or validate incoming headers.\n\n### Patches\n\n- 21.2.0-rc.1\n- 21.1.5\n- 20.3.17\n- 19.2.21\n\n\n### Workarounds\n- **Use Absolute URLs:** Avoid using `req.headers` for URL construction. Instead, use trusted variables for your base API paths.\n- **Implement Strict Header Validation (Middleware)**: If you cannot upgrade immediately, implement a middleware in your `server.ts` to enforce numeric ports and validated hostnames.\n\n```ts\nconst ALLOWED_HOSTS = new Set([\u0027your-domain.com\u0027]);\n\napp.use((req, res, next) =\u003e {\n const hostHeader = (req.headers[\u0027x-forwarded-host\u0027] ?? req.headers[\u0027host\u0027])?.toString();\n const portHeader = req.headers[\u0027x-forwarded-port\u0027]?.toString();\n\n if (hostHeader) {\n const hostname = hostHeader.split(\u0027:\u0027)[0];\n // Reject if hostname contains path separators or is not in allowlist\n if (/^[a-z0-9.:-]+$/i.test(hostname) || \n (!ALLOWED_HOSTS.has(hostname) \u0026\u0026 hostname !== \u0027localhost\u0027)) {\n return res.status(400).send(\u0027Invalid Hostname\u0027);\n }\n }\n\n // Ensure port is strictly numeric if provided\n if (portHeader \u0026\u0026 !/^\\d+$/.test(portHeader)) {\n return res.status(400).send(\u0027Invalid Port\u0027);\n }\n\n next();\n});\n```\n\n### References\n\n- [Fix](https://github.com/angular/angular-cli/pull/32516)\n- [Docs](https://angular.dev/best-practices/security#preventing-server-side-request-forgery-ssrf)",
"id": "GHSA-x288-3778-4hhx",
"modified": "2026-02-25T22:42:36Z",
"published": "2026-02-25T22:42:36Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/angular/angular-cli/security/advisories/GHSA-x288-3778-4hhx"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27739"
},
{
"type": "WEB",
"url": "https://github.com/angular/angular-cli/pull/32516"
},
{
"type": "WEB",
"url": "https://angular.dev/best-practices/security#preventing-server-side-request-forgery-ssrf"
},
{
"type": "WEB",
"url": "https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/SSRF"
},
{
"type": "PACKAGE",
"url": "https://github.com/angular/angular-cli"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Angular SSR is vulnerable to SSRF and Header Injection via request handling pipeline"
}
GHSA-X2F5-332J-9XWQ
Vulnerability from github – Published: 2026-03-30 17:08 – Updated: 2026-04-06 16:44Summary
Docker Model Runner contains an SSRF vulnerability in its OCI registry token exchange flow. When pulling a model, Model Runner follows the realm URL from the registry's WWW-Authenticate header without validating the scheme, hostname, or IP range. A malicious OCI registry can set the realm to an internal URL (e.g., http://127.0.0.1:3000/), causing Model Runner running on the host to make arbitrary GET requests to internal services and reflect the full response body back to the caller. Additionally, the token exchange mechanism can relay data from internal services back to the attacker-controlled registry via the Authorization: Bearer header.
Patches
Fixed in Docker Model Runner v1.1.25 Docker Desktop users should update to 4.67.0 or later, which includes the fixed Model Runner.
Workarounds
For Docker Desktop users, enabling Enhanced Container Isolation (ECI) blocks container access to Model Runner, preventing exploitation. However, if the Docker Model Runner is exposed to localhost over TCP in specific configurations, the vulnerability is still exploitable.
Impact
An unprivileged container or a malicious OCI registry that the user performed a pull from might issue GET requests to host-local services (localhost, internal network)
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/docker/model-runner"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.1.25"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-33990"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-30T17:08:25Z",
"nvd_published_at": "2026-04-01T17:28:39Z",
"severity": "MODERATE"
},
"details": "## Summary\nDocker Model Runner contains an SSRF vulnerability in its OCI registry token exchange flow. When pulling a model, Model Runner follows the realm URL from the registry\u0027s `WWW-Authenticate` header without validating the scheme, hostname, or IP range. A malicious OCI registry can set the realm to an internal URL (e.g., `http://127.0.0.1:3000/`), causing Model Runner running on the host to make arbitrary GET requests to internal services and reflect the full response body back to the caller. Additionally, the token exchange mechanism can relay data from internal services back to the attacker-controlled registry via the `Authorization: Bearer` header.\n\n## Patches\nFixed in Docker Model Runner v1.1.25\nDocker Desktop users should update to 4.67.0 or later, which includes the fixed Model Runner.\n\n## Workarounds\nFor Docker Desktop users, enabling Enhanced Container Isolation (ECI) blocks container access to Model Runner, preventing exploitation. However, if the Docker Model Runner is exposed to localhost over TCP in specific configurations, the vulnerability is still exploitable.\n\n## Impact\nAn unprivileged container or a malicious OCI registry that the user performed a pull from might issue GET requests to host-local services (localhost, internal network)",
"id": "GHSA-x2f5-332j-9xwq",
"modified": "2026-04-06T16:44:36Z",
"published": "2026-03-30T17:08:25Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/docker/model-runner/security/advisories/GHSA-x2f5-332j-9xwq"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33990"
},
{
"type": "PACKAGE",
"url": "https://github.com/docker/model-runner"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Docker Model Runner OCI Registry Client Vulnerable to Server-Side Request Forgery (SSRF)"
}
GHSA-X2MH-8FMC-RQGH
Vulnerability from github – Published: 2023-08-23 18:30 – Updated: 2025-02-13 19:11Apache Airflow, in versions prior to 2.7.0, contains a security vulnerability that can be exploited by an authenticated user possessing Connection edit privileges. This vulnerability allows the user to access connection information and exploit the test connection feature by sending many requests, leading to a denial of service (DoS) condition on the server. Furthermore, malicious actors can leverage this vulnerability to establish harmful connections with the server.
Users of Apache Airflow are strongly advised to upgrade to version 2.7.0 or newer to mitigate the risk associated with this vulnerability. Additionally, administrators are encouraged to review and adjust user permissions to restrict access to sensitive functionalities, reducing the attack surface.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "apache-airflow"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.7.0b1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-37379"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-400",
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2023-08-24T12:52:17Z",
"nvd_published_at": "2023-08-23T16:15:09Z",
"severity": "HIGH"
},
"details": "Apache Airflow, in versions prior to 2.7.0, contains a security vulnerability that can be exploited by an authenticated user possessing Connection edit privileges. This vulnerability allows the user to access connection information and exploit the test connection feature by sending many requests, leading to a denial of service (DoS) condition on the server. Furthermore, malicious actors can leverage this vulnerability to establish harmful connections with the server.\n\nUsers of Apache Airflow are strongly advised to upgrade to version 2.7.0 or newer to mitigate the risk associated with this vulnerability. Additionally, administrators are encouraged to review and adjust user permissions to restrict access to sensitive functionalities, reducing the attack surface.",
"id": "GHSA-x2mh-8fmc-rqgh",
"modified": "2025-02-13T19:11:02Z",
"published": "2023-08-23T18:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37379"
},
{
"type": "WEB",
"url": "https://github.com/apache/airflow/pull/32052"
},
{
"type": "WEB",
"url": "https://github.com/apache/airflow/commit/e4c3ecf8ceaefa17525b495e4bcb5b2f41309603"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/airflow"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-152.yaml"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/g5c9vcn27lr14go48thrjpo6f4vw571r"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2023/08/23/4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Apache Airflow denial of service vulnerability"
}
GHSA-X2QR-JHH4-F3VX
Vulnerability from github – Published: 2026-01-23 15:31 – Updated: 2026-01-26 21:30Server-Side Request Forgery (SSRF) vulnerability in Prince Radio Player radio-player allows Server Side Request Forgery.This issue affects Radio Player: from n/a through <= 2.0.91.
{
"affected": [],
"aliases": [
"CVE-2026-24548"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-23T15:16:10Z",
"severity": "MODERATE"
},
"details": "Server-Side Request Forgery (SSRF) vulnerability in Prince Radio Player radio-player allows Server Side Request Forgery.This issue affects Radio Player: from n/a through \u003c= 2.0.91.",
"id": "GHSA-x2qr-jhh4-f3vx",
"modified": "2026-01-26T21:30:35Z",
"published": "2026-01-23T15:31:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24548"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Plugin/radio-player/vulnerability/wordpress-radio-player-plugin-2-0-91-server-side-request-forgery-ssrf-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-X2VJ-49JW-8JMG
Vulnerability from github – Published: 2023-02-02 00:30 – Updated: 2023-02-09 21:30In dotCMS 5.x-22.06, TempFileAPI allows a user to create a temporary file based on a passed in URL, while attempting to block any SSRF access to local IP addresses or private subnets. In resolving this URL, the TempFileAPI follows any 302 redirects that the remote URL returns. Because there is no re-validation of the redirect URL, the TempFileAPI can be used to return data from those local/private hosts that should not be accessible remotely.
{
"affected": [],
"aliases": [
"CVE-2022-37033"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-02-01T22:15:00Z",
"severity": "MODERATE"
},
"details": "In dotCMS 5.x-22.06, TempFileAPI allows a user to create a temporary file based on a passed in URL, while attempting to block any SSRF access to local IP addresses or private subnets. In resolving this URL, the TempFileAPI follows any 302 redirects that the remote URL returns. Because there is no re-validation of the redirect URL, the TempFileAPI can be used to return data from those local/private hosts that should not be accessible remotely.",
"id": "GHSA-x2vj-49jw-8jmg",
"modified": "2023-02-09T21:30:28Z",
"published": "2023-02-02T00:30:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37033"
},
{
"type": "WEB",
"url": "https://www.dotcms.com/security/SI-64"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-X2WV-W39C-7C55
Vulnerability from github – Published: 2026-04-20 15:31 – Updated: 2026-04-20 15:31A vulnerability was determined in Qibo CMS 1.0. Affected by this issue is some unknown functionality of the file /index/image/headers. Executing a manipulation of the argument starts can lead to server-side request forgery. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2026-6649"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-20T14:16:23Z",
"severity": "MODERATE"
},
"details": "A vulnerability was determined in Qibo CMS 1.0. Affected by this issue is some unknown functionality of the file /index/image/headers. Executing a manipulation of the argument starts can lead to server-side request forgery. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-x2wv-w39c-7c55",
"modified": "2026-04-20T15:31:52Z",
"published": "2026-04-20T15:31:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6649"
},
{
"type": "WEB",
"url": "https://tcn60zf28jhk.feishu.cn/wiki/VYIcwwH4uiWZMgkX0SecopTgnQd?from=from_copylink"
},
{
"type": "WEB",
"url": "https://vuldb.com/submit/793510"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/358283"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/358283/cti"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-X34H-5QGF-76HX
Vulnerability from github – Published: 2024-06-27 21:32 – Updated: 2024-06-27 21:32stangirard/quivr version 0.0.236 contains a Server-Side Request Forgery (SSRF) vulnerability. The application does not provide sufficient controls when crawling a website, allowing an attacker to access applications on the local network. This vulnerability could allow a malicious user to gain access to internal servers, the AWS metadata endpoint, and capture Supabase data.
{
"affected": [],
"aliases": [
"CVE-2024-5885"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-27T19:15:17Z",
"severity": "HIGH"
},
"details": "stangirard/quivr version 0.0.236 contains a Server-Side Request Forgery (SSRF) vulnerability. The application does not provide sufficient controls when crawling a website, allowing an attacker to access applications on the local network. This vulnerability could allow a malicious user to gain access to internal servers, the AWS metadata endpoint, and capture Supabase data.",
"id": "GHSA-x34h-5qgf-76hx",
"modified": "2024-06-27T21:32:08Z",
"published": "2024-06-27T21:32:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5885"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/c178bf48-1d4a-4743-87ca-4cc8e475d274"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-X34J-WXQ8-7VCM
Vulnerability from github – Published: 2022-05-17 02:56 – Updated: 2023-08-03 22:13The Page_Load function in Umbraco.Web/umbraco.presentation/umbraco/dashboard/FeedProxy.aspx.cs in Umbraco before 7.4.0 allows remote attackers to conduct server-side request forgery (SSRF) attacks via the url parameter.
{
"affected": [
{
"package": {
"ecosystem": "NuGet",
"name": "Umbraco.CMS"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "7.4.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2015-8813"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2023-08-03T22:13:29Z",
"nvd_published_at": "2017-03-03T16:59:00Z",
"severity": "HIGH"
},
"details": "The `Page_Load` function in [Umbraco.Web/umbraco.presentation/umbraco/dashboard/FeedProxy.aspx.cs](https://github.com/umbraco/Umbraco-CMS/commit/924a016ffe7ae7ea6d516c07a7852f0095eddbce#diff-2899f01df84571577834f97a81637c65e20178ec6129b76c02f99789b23cf72e) in Umbraco before 7.4.0 allows remote attackers to conduct server-side request forgery (SSRF) attacks via the url parameter.",
"id": "GHSA-x34j-wxq8-7vcm",
"modified": "2023-08-03T22:13:29Z",
"published": "2022-05-17T02:56:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-8813"
},
{
"type": "WEB",
"url": "https://github.com/umbraco/Umbraco-CMS/commit/924a016ffe7ae7ea6d516c07a7852f0095eddbce"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20230608160721/https://issues.umbraco.org/issue/U4-7457"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2016/02/16/10"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2016/02/17/1"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2016/02/17/5"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2016/02/18/8"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Umbraco CMS vulnerable to CSRF"
}
GHSA-X3CH-9M5C-P5C4
Vulnerability from github – Published: 2024-02-29 00:30 – Updated: 2024-08-12 21:31An issue in open-emr before v.7.0.2 allows a remote attacker to escalate privileges via a crafted script to the formid parameter in the ereq_form.php component.
{
"affected": [],
"aliases": [
"CVE-2024-26476"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-28T22:15:26Z",
"severity": "LOW"
},
"details": "An issue in open-emr before v.7.0.2 allows a remote attacker to escalate privileges via a crafted script to the formid parameter in the ereq_form.php component.",
"id": "GHSA-x3ch-9m5c-p5c4",
"modified": "2024-08-12T21:31:31Z",
"published": "2024-02-29T00:30:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26476"
},
{
"type": "WEB",
"url": "https://github.com/mpdf/mpdf/issues/867"
},
{
"type": "WEB",
"url": "https://github.com/c4v4r0n/Research/blob/main/openemr_BlindSSRF/README.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-X3CX-PX43-RQM5
Vulnerability from github – Published: 2025-10-12 03:30 – Updated: 2025-10-12 03:30HCL Unica Centralized Offer Management is vulnerable to a potential Server-Side Request Forgery (SSRF). An attacker can exploit improper input validation by submitting maliciously crafted input to a target application running on a server.
{
"affected": [],
"aliases": [
"CVE-2025-31993"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-12T03:15:32Z",
"severity": "LOW"
},
"details": "HCL Unica Centralized Offer Management is vulnerable to a potential Server-Side Request Forgery (SSRF). An attacker can exploit improper input validation by submitting maliciously crafted input to a target application running on a server.",
"id": "GHSA-x3cx-px43-rqm5",
"modified": "2025-10-12T03:30:34Z",
"published": "2025-10-12T03:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-31993"
},
{
"type": "WEB",
"url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0124422"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:L",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
CAPEC-664: Server Side Request Forgery
An adversary exploits improper input validation by submitting maliciously crafted input to a target application running on a server, with the goal of forcing the server to make a request either to itself, to web services running in the server’s internal network, or to external third parties. If successful, the adversary’s request will be made with the server’s privilege level, bypassing its authentication controls. This ultimately allows the adversary to access sensitive data, execute commands on the server’s network, and make external requests with the stolen identity of the server. Server Side Request Forgery attacks differ from Cross Site Request Forgery attacks in that they target the server itself, whereas CSRF attacks exploit an insecure user authentication mechanism to perform unauthorized actions on the user's behalf.