Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2022-35949

Summary
Assigner-GitHub_M
Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa
Published At-12 Aug, 2022 | 00:00
Updated At-22 Apr, 2025 | 17:42
Rejected At-
Credits

`undici.request` vulnerable to SSRF using absolute URL on `pathname`

undici is an HTTP/1.1 client, written from scratch for Node.js.`undici` is vulnerable to SSRF (Server-side Request Forgery) when an application takes in **user input** into the `path/pathname` option of `undici.request`. If a user specifies a URL such as `http://127.0.0.1` or `//127.0.0.1` ```js const undici = require("undici") undici.request({origin: "http://example.com", pathname: "//127.0.0.1"}) ``` Instead of processing the request as `http://example.org//127.0.0.1` (or `http://example.org/http://127.0.0.1` when `http://127.0.0.1 is used`), it actually processes the request as `http://127.0.0.1/` and sends it to `http://127.0.0.1`. If a developer passes in user input into `path` parameter of `undici.request`, it can result in an _SSRF_ as they will assume that the hostname cannot change, when in actual fact it can change because the specified path parameter is combined with the base URL. This issue was fixed in `undici@5.8.1`. The best workaround is to validate user input before passing it to the `undici.request` call.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:GitHub_M
Assigner Org ID:a0819718-46f1-4df5-94e2-005712e83aaa
Published At:12 Aug, 2022 | 00:00
Updated At:22 Apr, 2025 | 17:42
Rejected At:
▼CVE Numbering Authority (CNA)
`undici.request` vulnerable to SSRF using absolute URL on `pathname`

undici is an HTTP/1.1 client, written from scratch for Node.js.`undici` is vulnerable to SSRF (Server-side Request Forgery) when an application takes in **user input** into the `path/pathname` option of `undici.request`. If a user specifies a URL such as `http://127.0.0.1` or `//127.0.0.1` ```js const undici = require("undici") undici.request({origin: "http://example.com", pathname: "//127.0.0.1"}) ``` Instead of processing the request as `http://example.org//127.0.0.1` (or `http://example.org/http://127.0.0.1` when `http://127.0.0.1 is used`), it actually processes the request as `http://127.0.0.1/` and sends it to `http://127.0.0.1`. If a developer passes in user input into `path` parameter of `undici.request`, it can result in an _SSRF_ as they will assume that the hostname cannot change, when in actual fact it can change because the specified path parameter is combined with the base URL. This issue was fixed in `undici@5.8.1`. The best workaround is to validate user input before passing it to the `undici.request` call.

Affected Products
Vendor
Node.js (OpenJS Foundation)nodejs
Product
undici
Versions
Affected
  • <= 5.8.1
Problem Types
TypeCWE IDDescription
CWECWE-918CWE-918: Server-Side Request Forgery (SSRF)
Type: CWE
CWE ID: CWE-918
Description: CWE-918: Server-Side Request Forgery (SSRF)
Metrics
VersionBase scoreBase severityVector
3.15.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Version: 3.1
Base score: 5.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://github.com/nodejs/undici/security/advisories/GHSA-8qr4-xgw6-wmr3
N/A
https://github.com/nodejs/undici/commit/124f7ebf705366b2e1844dff721928d270f87895
N/A
https://github.com/nodejs/undici/releases/tag/v5.8.2
N/A
Hyperlink: https://github.com/nodejs/undici/security/advisories/GHSA-8qr4-xgw6-wmr3
Resource: N/A
Hyperlink: https://github.com/nodejs/undici/commit/124f7ebf705366b2e1844dff721928d270f87895
Resource: N/A
Hyperlink: https://github.com/nodejs/undici/releases/tag/v5.8.2
Resource: N/A
▼Authorized Data Publishers (ADP)
1. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://github.com/nodejs/undici/security/advisories/GHSA-8qr4-xgw6-wmr3
x_transferred
https://github.com/nodejs/undici/commit/124f7ebf705366b2e1844dff721928d270f87895
x_transferred
https://github.com/nodejs/undici/releases/tag/v5.8.2
x_transferred
Hyperlink: https://github.com/nodejs/undici/security/advisories/GHSA-8qr4-xgw6-wmr3
Resource:
x_transferred
Hyperlink: https://github.com/nodejs/undici/commit/124f7ebf705366b2e1844dff721928d270f87895
Resource:
x_transferred
Hyperlink: https://github.com/nodejs/undici/releases/tag/v5.8.2
Resource:
x_transferred
2. CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security-advisories@github.com
Published At:12 Aug, 2022 | 23:15
Updated At:28 Mar, 2023 | 17:10

undici is an HTTP/1.1 client, written from scratch for Node.js.`undici` is vulnerable to SSRF (Server-side Request Forgery) when an application takes in **user input** into the `path/pathname` option of `undici.request`. If a user specifies a URL such as `http://127.0.0.1` or `//127.0.0.1` ```js const undici = require("undici") undici.request({origin: "http://example.com", pathname: "//127.0.0.1"}) ``` Instead of processing the request as `http://example.org//127.0.0.1` (or `http://example.org/http://127.0.0.1` when `http://127.0.0.1 is used`), it actually processes the request as `http://127.0.0.1/` and sends it to `http://127.0.0.1`. If a developer passes in user input into `path` parameter of `undici.request`, it can result in an _SSRF_ as they will assume that the hostname cannot change, when in actual fact it can change because the specified path parameter is combined with the base URL. This issue was fixed in `undici@5.8.1`. The best workaround is to validate user input before passing it to the `undici.request` call.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.19.8CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Secondary3.15.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Type: Primary
Version: 3.1
Base score: 9.8
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Type: Secondary
Version: 3.1
Base score: 5.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CPE Matches

Node.js (OpenJS Foundation)
nodejs
>>undici>>Versions up to 5.8.1(inclusive)
cpe:2.3:a:nodejs:undici:*:*:*:*:*:node.js:*:*
Weaknesses
CWE IDTypeSource
CWE-918Primarysecurity-advisories@github.com
CWE ID: CWE-918
Type: Primary
Source: security-advisories@github.com
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://github.com/nodejs/undici/commit/124f7ebf705366b2e1844dff721928d270f87895security-advisories@github.com
Patch
Third Party Advisory
https://github.com/nodejs/undici/releases/tag/v5.8.2security-advisories@github.com
Release Notes
Third Party Advisory
https://github.com/nodejs/undici/security/advisories/GHSA-8qr4-xgw6-wmr3security-advisories@github.com
Exploit
Mitigation
Third Party Advisory
Hyperlink: https://github.com/nodejs/undici/commit/124f7ebf705366b2e1844dff721928d270f87895
Source: security-advisories@github.com
Resource:
Patch
Third Party Advisory
Hyperlink: https://github.com/nodejs/undici/releases/tag/v5.8.2
Source: security-advisories@github.com
Resource:
Release Notes
Third Party Advisory
Hyperlink: https://github.com/nodejs/undici/security/advisories/GHSA-8qr4-xgw6-wmr3
Source: security-advisories@github.com
Resource:
Exploit
Mitigation
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

375Records found

CVE-2015-6764
Matching Score-8
Assigner-Chrome
ShareView Details
Matching Score-8
Assigner-Chrome
CVSS Score-9.8||CRITICAL
EPSS-4.69% / 90.68%
||
7 Day CHG~0.00%
Published-06 Dec, 2015 | 01:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The BasicJsonStringifier::SerializeJSArray function in json-stringifier.h in the JSON stringifier in Google V8, as used in Google Chrome before 47.0.2526.73, improperly loads array elements, which allows remote attackers to cause a denial of service (out-of-bounds memory access) or possibly have unspecified other impact via crafted JavaScript code.

Action-Not Available
Vendor-n/aDebian GNU/LinuxGoogle LLCNode.js (OpenJS Foundation)
Product-chromedebian_linuxnode.jsn/a
CWE ID-CWE-119
Improper Restriction of Operations within the Bounds of a Memory Buffer
CVE-2026-48930
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-5.6||MEDIUM
EPSS-0.40% / 32.46%
||
7 Day CHG+0.12%
Published-26 Jun, 2026 | 01:14
Updated-26 Jun, 2026 | 20:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A flaw in Node.js TLS hostname handling can cause Embedded-nul hostnames can lead to silent authority rebinding due to c-string truncation in resolver bindings. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.

Action-Not Available
Vendor-Node.js (OpenJS Foundation)
Product-node.jsnode
CWE ID-CWE-284
Improper Access Control
CVE-2016-9843
Matching Score-8
Assigner-OpenText (formerly Micro Focus)
ShareView Details
Matching Score-8
Assigner-OpenText (formerly Micro Focus)
CVSS Score-9.8||CRITICAL
EPSS-5.95% / 92.38%
||
7 Day CHG~0.00%
Published-23 May, 2017 | 03:56
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The crc32_big function in crc32.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving big-endian CRC calculation.

Action-Not Available
Vendor-zlibn/aCanonical Ltd.Apple Inc.MariaDB FoundationopenSUSEOracle CorporationRed Hat, Inc.Debian GNU/LinuxNode.js (OpenJS Foundation)NetApp, Inc.
Product-debian_linuxubuntu_linuxjremac_os_xmariadbenterprise_linux_desktopdatabase_serveroncommand_insighttvoswatchosactive_iq_unified_manageroncommand_workflow_automationjdkenterprise_linux_serverenterprise_linux_workstationzlibsatellitemysqlnode.jsleapiphone_osenterprise_linux_eussnapcenteropensusen/a
CVE-2025-55132
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-2.8||LOW
EPSS-0.23% / 13.33%
||
7 Day CHG~0.00%
Published-20 Jan, 2026 | 20:41
Updated-03 Feb, 2026 | 21:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A flaw in Node.js's permission model allows a file's access and modification timestamps to be changed via `futimes()` even when the process has only read permissions. Unlike `utimes()`, `futimes()` does not apply the expected write-permission checks, which means file metadata can be modified in read-only directories. This behavior could be used to alter timestamps in ways that obscure activity, reducing the reliability of logs. This vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25.

Action-Not Available
Vendor-Node.js (OpenJS Foundation)
Product-node.jsnode
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2023-39332
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-9.8||CRITICAL
EPSS-1.82% / 76.10%
||
7 Day CHG~0.00%
Published-18 Oct, 2023 | 03:55
Updated-03 Nov, 2025 | 22:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Various `node:fs` functions allow specifying paths as either strings or `Uint8Array` objects. In Node.js environments, the `Buffer` class extends the `Uint8Array` class. Node.js prevents path traversal through strings (see CVE-2023-30584) and `Buffer` objects (see CVE-2023-32004), but not through non-`Buffer` `Uint8Array` objects. This is distinct from CVE-2023-32004 which only referred to `Buffer` objects. However, the vulnerability follows the same pattern using `Uint8Array` instead of `Buffer`. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.

Action-Not Available
Vendor-Fedora ProjectNode.js (OpenJS Foundation)
Product-fedoranode.jsNode
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2019-15605
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-9.8||CRITICAL
EPSS-57.13% / 98.95%
||
7 Day CHG~0.00%
Published-07 Feb, 2020 | 14:55
Updated-30 Apr, 2025 | 22:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

HTTP request smuggling in Node.js 10, 12, and 13 causes malicious payload delivery when transfer-encoding is malformed

Action-Not Available
Vendor-Node.js (OpenJS Foundation)Oracle CorporationopenSUSEFedora ProjectRed Hat, Inc.Debian GNU/Linux
Product-enterprise_linux_serverdebian_linuxsoftware_collectionsgraalvmenterprise_linux_server_ausenterprise_linux_workstationfedoraenterprise_linuxenterprise_linux_eusenterprise_linux_server_tusenterprise_linux_desktopnode.jsleapNode
CWE ID-CWE-444
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CVE-2019-15606
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-9.8||CRITICAL
EPSS-20.04% / 97.12%
||
7 Day CHG~0.00%
Published-07 Feb, 2020 | 14:58
Updated-30 Apr, 2025 | 22:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Including trailing white space in HTTP header values in Nodejs 10, 12, and 13 causes bypass of authorization based on header value comparisons

Action-Not Available
Vendor-Node.js (OpenJS Foundation)Oracle CorporationopenSUSERed Hat, Inc.Debian GNU/Linux
Product-debian_linuxgraalvmcommunications_cloud_native_core_network_function_cloud_native_environmententerprise_linuxenterprise_linux_eusnode.jsleapNode
CWE ID-CWE-20
Improper Input Validation
CVE-2026-1525
Matching Score-8
Assigner-ce714d77-add3-4f53-aff5-83d477b104bb
ShareView Details
Matching Score-8
Assigner-ce714d77-add3-4f53-aff5-83d477b104bb
CVSS Score-6.5||MEDIUM
EPSS-0.49% / 38.75%
||
7 Day CHG~0.00%
Published-12 Mar, 2026 | 19:56
Updated-19 Mar, 2026 | 17:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
undici is vulnerable to Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

Undici allows duplicate HTTP Content-Length headers when they are provided in an array with case-variant names (e.g., Content-Length and content-length). This produces malformed HTTP/1.1 requests with multiple conflicting Content-Length values on the wire. Who is impacted: * Applications using undici.request(), undici.Client, or similar low-level APIs with headers passed as flat arrays * Applications that accept user-controlled header names without case-normalization Potential consequences: * Denial of Service: Strict HTTP parsers (proxies, servers) will reject requests with duplicate Content-Length headers (400 Bad Request) * HTTP Request Smuggling: In deployments where an intermediary and backend interpret duplicate headers inconsistently (e.g., one uses the first value, the other uses the last), this can enable request smuggling attacks leading to ACL bypass, cache poisoning, or credential hijacking

Action-Not Available
Vendor-undiciNode.js (OpenJS Foundation)
Product-undiciundici
CWE ID-CWE-444
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CVE-2024-21896
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-7.9||HIGH
EPSS-1.26% / 66.07%
||
7 Day CHG~0.00%
Published-20 Feb, 2024 | 01:31
Updated-30 Apr, 2025 | 22:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The permission model protects itself against path traversal attacks by calling path.resolve() on any paths given by the user. If the path is to be treated as a Buffer, the implementation uses Buffer.from() to obtain a Buffer from the result of path.resolve(). By monkey-patching Buffer internals, namely, Buffer.prototype.utf8Write, the application can modify the result of path.resolve(), which leads to a path traversal vulnerability. This vulnerability affects all users using the experimental permission model in Node.js 20 and Node.js 21. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.

Action-Not Available
Vendor-Node.js (OpenJS Foundation)
Product-node.jsNodenodejs
CWE ID-CWE-27
Path Traversal: 'dir/../../filename'
CVE-2021-22918
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-5.3||MEDIUM
EPSS-23.13% / 97.49%
||
7 Day CHG~0.00%
Published-12 Jul, 2021 | 00:00
Updated-30 Apr, 2025 | 22:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Node.js before 16.4.1, 14.17.2, 12.22.2 is vulnerable to an out-of-bounds read when uv__idna_toascii() is used to convert strings to ASCII. The pointer p is read and increased without checking whether it is beyond pe, with the latter holding a pointer to the end of the buffer. This can lead to information disclosures or crashes. This function can be triggered via uv_getaddrinfo().

Action-Not Available
Vendor-Node.js (OpenJS Foundation)Siemens AG
Product-sinec_infrastructure_network_servicesnode.jsNode
CWE ID-CWE-125
Out-of-bounds Read
CVE-2021-22931
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-9.8||CRITICAL
EPSS-21.95% / 97.36%
||
7 Day CHG~0.00%
Published-16 Aug, 2021 | 00:00
Updated-30 Apr, 2025 | 22:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to Remote Code Execution, XSS, Application crashes due to missing input validation of host names returned by Domain Name Servers in Node.js dns library which can lead to output of wrong hostnames (leading to Domain Hijacking) and injection vulnerabilities in applications using the library.

Action-Not Available
Vendor-Oracle CorporationNode.js (OpenJS Foundation)NetApp, Inc.Siemens AG
Product-sinec_infrastructure_network_servicespeoplesoft_enterprise_peopletoolsgraalvmmysql_clusternextgen_apiactive_iq_unified_manageroncommand_workflow_automationsnapcenternode.jsoncommand_insightNode
CWE ID-CWE-170
Improper Null Termination
CWE ID-CWE-20
Improper Input Validation
CVE-2023-32002
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-9.8||CRITICAL
EPSS-1.43% / 69.78%
||
7 Day CHG~0.00%
Published-21 Aug, 2023 | 16:52
Updated-02 Jul, 2025 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The use of `Module._load()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.

Action-Not Available
Vendor-Node.js (OpenJS Foundation)
Product-node.jsNodenodejs
CWE ID-CWE-288
Authentication Bypass Using an Alternate Path or Channel
CVE-2023-32005
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-5.3||MEDIUM
EPSS-1.19% / 64.18%
||
7 Day CHG~0.00%
Published-12 Sep, 2023 | 01:36
Updated-05 May, 2025 | 14:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability has been identified in Node.js version 20, affecting users of the experimental permission model when the --allow-fs-read flag is used with a non-* argument. This flaw arises from an inadequate permission model that fails to restrict file stats through the `fs.statfs` API. As a result, malicious actors can retrieve stats from files that they do not have explicit read access to. This vulnerability affects all users using the experimental permission model in Node.js 20. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.

Action-Not Available
Vendor-Node.js (OpenJS Foundation)
Product-node.jsNode
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2023-30582
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-5.3||MEDIUM
EPSS-0.58% / 43.48%
||
7 Day CHG~0.00%
Published-07 Sep, 2024 | 16:00
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability has been identified in Node.js version 20, affecting users of the experimental permission model when the --allow-fs-read flag is used with a non-* argument. This flaw arises from an inadequate permission model that fails to restrict file watching through the fs.watchFile API. As a result, malicious actors can monitor files that they do not have explicit read access to. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.

Action-Not Available
Vendor-Node.js (OpenJS Foundation)
Product-Nodenodejs
CWE ID-CWE-284
Improper Access Control
CVE-2016-9841
Matching Score-8
Assigner-OpenText (formerly Micro Focus)
ShareView Details
Matching Score-8
Assigner-OpenText (formerly Micro Focus)
CVSS Score-9.8||CRITICAL
EPSS-7.49% / 93.73%
||
7 Day CHG~0.00%
Published-23 May, 2017 | 03:56
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

inffast.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.

Action-Not Available
Vendor-zlibn/aCanonical Ltd.Apple Inc.openSUSEOracle CorporationRed Hat, Inc.Debian GNU/LinuxNode.js (OpenJS Foundation)NetApp, Inc.
Product-ubuntu_linuxjrevasa_provider_for_clustered_data_ontaponcommand_unified_manageractive_iq_unified_managersnapmanageroncommand_workflow_automationjdkenterprise_linux_serverenterprise_linux_workstationvirtual_storage_consolemysqlleapiphone_osenterprise_linux_eussolidfiree-series_santricity_web_servicesopensusedebian_linuxmac_os_xoncommand_performance_managerenterprise_linux_desktopsymantec_netbackupdatabase_serverstorage_replication_adapter_for_clustered_data_ontaponcommand_balanceoncommand_insightsteelstore_cloud_integrated_storagetvoswatchoshci_storage_nodezlibsatelliteoncommand_shiftnode.jse-series_santricity_managemente-series_santricity_storage_managercloud_backupe-series_santricity_os_controllern/a
CVE-2016-6303
Matching Score-8
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-8
Assigner-Red Hat, Inc.
CVSS Score-9.8||CRITICAL
EPSS-31.99% / 98.10%
||
7 Day CHG~0.00%
Published-16 Sep, 2016 | 00:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Integer overflow in the MDC2_Update function in crypto/mdc2/mdc2dgst.c in OpenSSL before 1.1.0 allows remote attackers to cause a denial of service (out-of-bounds write and application crash) or possibly have unspecified other impact via unknown vectors.

Action-Not Available
Vendor-n/aOpenSSLNode.js (OpenJS Foundation)
Product-node.jsopenssln/a
CWE ID-CWE-787
Out-of-bounds Write
CVE-2016-5180
Matching Score-8
Assigner-Chrome
ShareView Details
Matching Score-8
Assigner-Chrome
CVSS Score-9.8||CRITICAL
EPSS-8.58% / 94.42%
||
7 Day CHG~0.00%
Published-03 Oct, 2016 | 15:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Heap-based buffer overflow in the ares_create_query function in c-ares 1.x before 1.12.0 allows remote attackers to cause a denial of service (out-of-bounds write) or possibly execute arbitrary code via a hostname with an escaped trailing dot.

Action-Not Available
Vendor-c-aresc-ares_projectn/aCanonical Ltd.Debian GNU/LinuxNode.js (OpenJS Foundation)
Product-debian_linuxubuntu_linuxnode.jsc-aresn/a
CWE ID-CWE-787
Out-of-bounds Write
CVE-2021-22930
Matching Score-8
Assigner-HackerOne
ShareView Details
Matching Score-8
Assigner-HackerOne
CVSS Score-9.8||CRITICAL
EPSS-37.29% / 98.33%
||
7 Day CHG~0.00%
Published-07 Oct, 2021 | 00:00
Updated-30 Apr, 2025 | 22:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior.

Action-Not Available
Vendor-Node.js (OpenJS Foundation)NetApp, Inc.Siemens AGDebian GNU/Linux
Product-sinec_infrastructure_network_servicesnextgen_apidebian_linuxnode.jsNode
CWE ID-CWE-416
Use After Free
CVE-2024-3566
Matching Score-8
Assigner-CERT/CC
ShareView Details
Matching Score-8
Assigner-CERT/CC
CVSS Score-9.8||CRITICAL
EPSS-6.88% / 93.28%
||
7 Day CHG~0.00%
Published-10 Apr, 2024 | 15:22
Updated-15 May, 2026 | 15:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Command injection vulnerability in programing languages on Microsoft Windows operating system.

A command inject vulnerability allows an attacker to perform command injection on Windows applications that indirectly depend on the CreateProcess function when the specific conditions are satisfied.

Action-Not Available
Vendor-rust-langyt-dlp_projecthaskellGo Programming LanguageHaskell Programming Languagerust-langthephpgroupyt-dlp_projecthaskellThe PHP GroupGoMicrosoft CorporationNode.js (OpenJS Foundation)
Product-node.jsphprustyt-dlpwindowsprocess_libraryGoLangHaskelNode.jsnodejsthephpgroupyt-dlpprocess_libraryrust
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2024-30150
Matching Score-4
Assigner-HCL Software
ShareView Details
Matching Score-4
Assigner-HCL Software
CVSS Score-5.3||MEDIUM
EPSS-0.32% / 24.13%
||
7 Day CHG~0.00%
Published-25 Feb, 2025 | 22:21
Updated-09 Jan, 2026 | 02:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
An unauthenticated privilege escalation vulnerability affects HCL MyCloud

HCL MyCloud is affected by Improper Access Control - an unauthenticated privilege escalation vulnerability which may lead to information disclosure and potential for Server-Side Request Forgery (SSRF) and Denial of Service(DOS) attacks from unauthenticated users.

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-dryice_mycloudMyCloud
CWE ID-CWE-269
Improper Privilege Management
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2024-29035
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-4.1||MEDIUM
EPSS-0.43% / 34.63%
||
7 Day CHG~0.00%
Published-17 Apr, 2024 | 14:20
Updated-12 Feb, 2025 | 15:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Umbraco's Blind SSRF Leads to Port Scan by using Webhooks

Umbraco is an ASP.NET CMS. Failing webhooks logs are available when solution is not in debug mode. Those logs can contain information that is critical. This vulnerability is fixed in 13.1.1.

Action-Not Available
Vendor-Umbraco A/S (Umbraco)
Product-umbraco_cmsUmbraco-CMSumbraco_cms
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2024-29028
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.8||MEDIUM
EPSS-1.05% / 60.08%
||
7 Day CHG~0.00%
Published-19 Apr, 2024 | 15:14
Updated-07 Jul, 2025 | 16:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
memos vulnerable to an SSRF in /o/get/httpmeta

memos is a privacy-first, lightweight note-taking service. In memos 0.13.2, an SSRF vulnerability exists at the /o/get/httpmeta that allows unauthenticated users to enumerate the internal network and receive limited html values in json form. This vulnerability is fixed in 0.16.1.

Action-Not Available
Vendor-Usememos
Product-memosmemosmemos
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2024-29319
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-3.8||LOW
EPSS-0.39% / 30.48%
||
7 Day CHG~0.00%
Published-05 Jul, 2024 | 00:00
Updated-02 Aug, 2024 | 01:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Volmarg Personal Management System 1.4.64 is vulnerable to SSRF (Server Side Request Forgery) via uploading a SVG file. The server can make unintended HTTP and DNS requests to a server that the attacker controls.

Action-Not Available
Vendor-personal-management-systemn/avolmarg
Product-personal_management_systemn/apersonal_management_system
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2024-29030
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.8||MEDIUM
EPSS-1.14% / 62.58%
||
7 Day CHG~0.00%
Published-19 Apr, 2024 | 15:13
Updated-07 Jul, 2025 | 16:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
memos vulnerable to an SSRF in /api/resource

memos is a privacy-first, lightweight note-taking service. In memos 0.13.2, an SSRF vulnerability exists at the /api/resource that allows authenticated users to enumerate the internal network. Version 0.22.0 of memos removes the vulnerable file.

Action-Not Available
Vendor-Usememos
Product-memosmemosmemos
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2019-20408
Matching Score-4
Assigner-Atlassian
ShareView Details
Matching Score-4
Assigner-Atlassian
CVSS Score-5.3||MEDIUM
EPSS-1.00% / 58.46%
||
7 Day CHG~0.00%
Published-01 Jul, 2020 | 01:35
Updated-16 Sep, 2024 | 17:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The /plugins/servlet/gadgets/makeRequest resource in Jira before version 8.7.0 allows remote attackers to access the content of internal network resources via a Server Side Request Forgery (SSRF) vulnerability due to a logic bug in the JiraWhitelist class.

Action-Not Available
Vendor-Atlassian
Product-jiraJira Server
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2020-23534
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.25% / 65.83%
||
7 Day CHG~0.00%
Published-25 Feb, 2021 | 15:59
Updated-04 Aug, 2024 | 14:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A server-side request forgery (SSRF) vulnerability in Upgrade.php of gopeak masterlab 2.1.5, via the 'source' parameter.

Action-Not Available
Vendor-masterlabn/a
Product-masterlabn/a
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2024-27347
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-5.3||MEDIUM
EPSS-1.00% / 58.39%
||
7 Day CHG~0.00%
Published-22 Apr, 2024 | 14:07
Updated-30 Jun, 2025 | 13:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache HugeGraph-Hubble: SSRF in Hubble connection page

Server-Side Request Forgery (SSRF) vulnerability in Apache HugeGraph-Hubble.This issue affects Apache HugeGraph-Hubble: from 1.0.0 before 1.3.0. Users are recommended to upgrade to version 1.3.0, which fixes the issue.

Action-Not Available
Vendor-The Apache Software Foundation
Product-hugegraph-hubbleApache HugeGraph-Hubblehugegraph-hubble
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2026-8034
Matching Score-4
Assigner-GitHub, Inc. (Products Only)
ShareView Details
Matching Score-4
Assigner-GitHub, Inc. (Products Only)
CVSS Score-7.9||HIGH
EPSS-0.38% / 29.66%
||
7 Day CHG~0.00%
Published-07 May, 2026 | 21:18
Updated-11 May, 2026 | 17:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Server-side request forgery vulnerability in GitHub Enterprise Server notebook viewer via URL parser confusion

A server-side request forgery (SSRF) vulnerability was identified in the GitHub Enterprise Server notebook viewer that allowed an attacker to access internal services by exploiting URL parser confusion between the validation layer and the HTTP request library. The hostname validation used a different URL parser than the request library, enabling a crafted URL to pass validation while directing the request to an unintended host. Exploitation required network access to the GitHub Enterprise Server instance. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.16.18, 3.17.15, 3.18.9, 3.19.6, and 3.20.2. This vulnerability was reported via the GitHub Bug Bounty program.

Action-Not Available
Vendor-GitHub, Inc.
Product-enterprise_serverEnterprise Server
CWE ID-CWE-436
Interpretation Conflict
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2004-2061
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-5.70% / 92.07%
||
7 Day CHG~0.00%
Published-10 May, 2005 | 04:00
Updated-16 Apr, 2026 | 00:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

RiSearch 1.0.01 and RiSearch Pro 3.2.06 allows remote attackers to use the show.pl script as an open proxy, or read arbitrary local files, by setting the url parameter to a (1) http://, (2) ftp://, or (3) file:// URL.

Action-Not Available
Vendor-risearchn/a
Product-risearch_prorisearchn/a
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2020-15377
Matching Score-4
Assigner-Brocade Communications Systems, LLC
ShareView Details
Matching Score-4
Assigner-Brocade Communications Systems, LLC
CVSS Score-9.8||CRITICAL
EPSS-1.16% / 63.17%
||
7 Day CHG~0.00%
Published-09 Jun, 2021 | 15:15
Updated-04 Aug, 2024 | 13:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Webtools in Brocade SANnav before version 2.1.1 allows unauthenticated users to make requests to arbitrary hosts due to a misconfiguration; this is commonly referred to as Server-Side Request Forgery (SSRF).

Action-Not Available
Vendor-n/aBroadcom Inc.
Product-sannavBrocade SANnav
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2026-54514
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.22% / 12.32%
||
7 Day CHG-0.01%
Published-23 Jun, 2026 | 20:51
Updated-27 Jun, 2026 | 20:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
jackson-databind: InetSocketAddress deserialization triggers eager DNS resolution (SSRF)

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.0.0 until 2.18.8, 2.21.4, and 3.1.4, JDKFromStringDeserializer constructed InetSocketAddress with new InetSocketAddress(host, port), which performs eager DNS name resolution for hostname inputs at deserialization time. An application that binds untrusted JSON into a type containing an InetSocketAddress field issues an attacker-chosen DNS query during readValue, before any application-level validation or connect logic. The fix uses InetSocketAddress.createUnresolved(host, port), deferring DNS to an explicit connect. This vulnerability is fixed in 2.18.8, 2.21.4, and 3.1.4.

Action-Not Available
Vendor-FasterXML, LLC.
Product-jackson-databindjackson-databind
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2026-54300
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.19% / 8.48%
||
7 Day CHG~0.00%
Published-22 Jun, 2026 | 17:30
Updated-23 Jun, 2026 | 15:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
@astrojs/netlify broadens Astro image.remotePatterns in Netlify Image CDN config

@astrojs/netlify is an adapter that allows Astro to deploy your hybrid or server rendered site to Netlify. Prior to 7.0.13, @astrojs/netlify converts Astro image.remotePatterns into Netlify Image CDN images.remote_images regular expressions with broader semantics than Astro's canonical matcher. A single wildcard hostname such as *.example.com is converted to an optional subdomain regex, so the apex host matches. A single wildcard pathname such as /ok/* is converted without end anchoring, so deeper paths match by prefix. This vulnerability is fixed in 7.0.13.

Action-Not Available
Vendor-withastro
Product-astro
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2026-48998
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.20% / 9.74%
||
7 Day CHG~0.00%
Published-11 Jun, 2026 | 12:34
Updated-15 Jun, 2026 | 14:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
guzzlehttp/psr7 has Host Confusion via Authority Reinterpretation

guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. Versions prior to 2.10.2 contain improper Host header validation when parsing raw HTTP request messages and when deriving a server request URI from server variables. An attacker can provide a malformed Host header containing URI authority delimiters, such as `trusted.example@evil.example`. When the Host value is used to construct a URI, the malformed value can be reinterpreted as URI userinfo and host. This can cause the PSR-7 request URI host to differ from the original Host header value. Applications are affected if they parse attacker-controlled raw HTTP requests with `GuzzleHttp\Psr7\Message::parseRequest()` or the legacy 1.x `GuzzleHttp\Psr7\parse_request()` function, or if they build server requests from attacker-controlled server variables, then rely on the resulting URI host for routing, allow-list checks, or forwarding decisions. In affected forwarding or gateway scenarios, this may cause requests or credentials to be sent to an unintended host. The issue is patched in `2.10.2`. `1.x` is end-of-life and will not receive a patch. Some workarounds are available. Validate the `Host` header as `uri-host [ ":" port ]` before calling `Message::parseRequest()` or legacy `parse_request()` on untrusted HTTP request data, or before deriving routing and forwarding decisions from a parsed request URI. Reject Host values containing userinfo, path, query, or fragment delimiters.

Action-Not Available
Vendor-guzzlephpguzzle
Product-psr-7psr7
CWE ID-CWE-20
Improper Input Validation
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2002-1484
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-13.66% / 96.02%
||
7 Day CHG~0.00%
Published-18 Mar, 2003 | 05:00
Updated-16 Apr, 2026 | 00:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

DB4Web server, when configured to use verbose debug messages, allows remote attackers to use DB4Web as a proxy and attempt TCP connections to other systems (port scan) via a request for a URL that specifies the target IP address and port, which produces a connection status in the resulting error message.

Action-Not Available
Vendor-n/aSiemens AG
Product-db4webn/a
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2026-49328
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-5.3||MEDIUM
EPSS-0.50% / 39.22%
||
7 Day CHG~0.00%
Published-01 Jun, 2026 | 10:10
Updated-01 Jun, 2026 | 15:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache Fesod (Incubating): Improper validation of user-supplied URLs leading to SSRF

Server-Side Request Forgery (SSRF) in the UrlImageConverter component of Apache Fesod (Incubating) fesod-sheet before 2.0.2-incubating allows attackers to cause outbound network requests to internal or otherwise restricted resources via a user-supplied image URL. Users are recommended to upgrade to version 2.0.2-incubating, which fixes this issue.

Action-Not Available
Vendor-The Apache Software Foundation
Product-fesodApache Fesod (Incubating)
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2026-4789
Matching Score-4
Assigner-CERT/CC
ShareView Details
Matching Score-4
Assigner-CERT/CC
CVSS Score-9.8||CRITICAL
EPSS-0.70% / 48.84%
||
7 Day CHG~0.00%
Published-30 Mar, 2026 | 20:44
Updated-03 Apr, 2026 | 18:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
CVE-2026-4789

Kyverno, versions 1.16.0 and later, are vulnerable to SSRF due to unrestricted CEL HTTP functions.

Action-Not Available
Vendor-kyvernoKyverno
Product-kyvernoKyverno
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2026-46698
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.23% / 13.66%
||
7 Day CHG~0.00%
Published-11 Jun, 2026 | 17:15
Updated-11 Jun, 2026 | 20:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Fediverse Embeds: Public-nonce SSRF via ftf_get_site_info AJAX action

Fediverse Embeds embeds fediverse posts on WordPress sites. Prior to version 1.5.9, Fediverse Embeds registered the unauthenticated AJAX action wp_ajax_nopriv_ftf_get_site_info (includes/Site_Info.php) that verified a nonce ftf-fediverse-embeds-nonce and then called file_get_html($site_url) on the attacker-supplied URL. The same nonce was enqueued onto every public page containing a fediverse embed (via includes/Enqueue_Assets.php lines 41-46 + includes/Helpers.php lines 64-83), so the nonce gate was not an authentication boundary; any visitor of a public post with an embed could grab it and reuse it. This issue has been patched in version 1.5.9.

Action-Not Available
Vendor-stefanbohacek
Product-fediverse-embeds-wordpress-plugin
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2019-18394
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-32.30% / 98.11%
||
7 Day CHG~0.00%
Published-24 Oct, 2019 | 10:58
Updated-05 Aug, 2024 | 01:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A Server Side Request Forgery (SSRF) vulnerability in FaviconServlet.java in Ignite Realtime Openfire through 4.4.2 allows attackers to send arbitrary HTTP GET requests.

Action-Not Available
Vendor-igniterealtimen/a
Product-openfiren/a
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2024-51980
Matching Score-4
Assigner-Rapid7, Inc.
ShareView Details
Matching Score-4
Assigner-Rapid7, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.86% / 53.99%
||
7 Day CHG~0.00%
Published-25 Jun, 2025 | 07:22
Updated-07 Apr, 2026 | 05:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Unauthenticated Server Side Request Forgery (SSRF) via WS-Addressing affecting multiple models from Brother Industries, Ltd, FUJIFILM Business Innovation, Ricoh, Toshiba Tec, and Konica Minolta, Inc.

An unauthenticated attacker may perform a limited server side request forgery (SSRF), forcing the target device to open a TCP connection to an arbitrary port number on an arbitrary IP address. This SSRF leverages the WS-Addressing ReplyTo element in a Web service (HTTP TCP port 80) SOAP request. The attacker can not control the data sent in the SSRF connection, nor can the attacker receive any data back. This SSRF is suitable for TCP port scanning of an internal network when the Web service (HTTP TCP port 80) is exposed across a network segment.

Action-Not Available
Vendor-Brother Industries, LtdFUJIFILM Business InnovationToshiba TecKonica Minolta, Inc.Ricoh Company, Ltd.
Product-HL-L5212DNDocuPrint P225 dHL-L5200DWHL-L5200DWTMFC-L3720CDWDCP-L2550DW (Japan)MFC-L3780CDWHL-L5210DWTMFC-J4535DW(XL)MFC-J4340DWEHL-B2080DWMFC-L2860DWEDCP-L3520CDWDCP-J914NMFC-L5800DWDCP-L2530DWMFC-L6950DWDCP-7189DWDocuPrint M118 zHL-B2100DBe-STUDIO302DNFHL-B2180DWMFC-J1010DWHL-L5215DNHL-L5210DNDCP-L5510DNDCP-J973N W/BMFC-L2751DWbizhub 4000iMFC-J6995CDWRJ-2150DCP-J928N-W/BDCP-L2550DW (Taiwan)MFC-J5340DWEDCP-B7530DNMFC-L6902DWMFC-L3755CDWMFC-J2340DWDCP-J4143NHL-L6300DWDCP-C1210NMFC-L2900DWDCP-1610WEDCP-1623WEDCP-L2537DWMFC-L2860DW (Japan)MFC-L3780CDW (Japan)DCP-1618WDCP-L2600DWMFC-1910WEHL-L1232WDCP-L2605DWMFC-L6915DWHL-B2158WDCP-L2540DW (Japan)DCP-1615NWMFC-J5345DWDocuPrint M288 zbizhub 3080MFMFC-L2740DWRRJ-3250WBDCP-T226MFC-J738DNTD-4420DNDocuPrint M268 dwHL-2560DNDCP-L2647DWDCP-L2625DWDCP-B7650DWMFC-J6555DWMFC-L2730DWRMFC-J904NMFC-T810W(China)MFC-1916NWSP 230DNwDCP-B7628DWHL-L2385DWHL-L2365DWRMFC-J738DWNRJ-2140MFC-L2880DWHL-L3270CDWMFC-L2820DWXLHL-L6400DWGDCP-L1632WDocuPrint M115 wMFC-L2760DWHL-L1230WHL-5595DNDCP-T835DWDCP-J973N-W/BHL-1210WEMFC-EX915DWMFC-L5710DWMFC-EX670WDCP-L2550DNRHL-L5218DNMFC-L3770CDWMFC-L2700DWDCP-T725DWDCP-J1700DWDCP-L2531DWMFC-J1300DWMFC-L2765DWDocuPrint P275 dwDCP-L2530DWRMFC-L8610CDW (Japan)DocuPrint M235 dwHL-L2370DNRMFC-L2880DW (Japan)MFC-J6947DWHL-L9410CDNMFC-L2862DWMFC-L6910DNDCP-B7608WDCP-B7640DWDCP-T820DWSP-1 (Japan)DCP-L1638WMFC-L2750DW (Japan)MFC-L9577CDWDCP-T436WHL-L2460DWXLDCP-L2535DWMFC-L5750DWDCP-B7620DWMFC-L2707DWM 340WApeos 4620 SXMFC-J6955DWDCP-B7640DW (Asia)HL-L6410DNMFC-L2802DWMFC-J7700CDWDocuPrint M285 zDCP-L2560DWRDCP-1612WEDCP-J988NApeosPrint 4620 SDN (For China)DocuPrint M260 zDCP-L5660DNMFC-L6750DWHL-L5212DWPJ-773DCP-B7600DMFC-L2701DWDCP-L1848WDocuPrint M225 dwMFC-L3760CDWDCP-J1100DWADS-3000Nbizhub 3000MFHL-L1238WPJ-883MFC-J805DWXLDocuPrint M225 zHL-L6210DWTDCP-B7535DW (China)DCP-B7600DBMFC-J815DWXLDocuPrint P235 dDCP-L2660DW (Japan)HL-L2380DWDCP-J1200W(XL)DCP-7190DWDCP-L2552DNDCP-L2520DWHL-J6000DWDCP-1612WMFC-J6999CDWHL-1223WRMFC-L5715DWMFC-1910WMFC-L9670CDNDCP-T426WHL-B2050DNMFC-J497DWDCP-B7520DWMFC-J7600CDWHL-L6310DWMFC-L2717DWDCP-L2627DWRJ-4250WBDCP-L2540DNDCP-J772DWMFC-L3750CDWHL-3190CDWHL-L5202DWDocuPrint M118 wMFC-J1170DWMFC-L3768CDWHL-L2425DWDocuPrint P115 wDocuPrint M375 dfMFC-L9570CDW (Japan)DocuPrint M265 zMFC-T930DWDCP-J978N-W/BPT-P950NWMFC-J898NDCP-J1140DWHL-1212WDCP-1610WDCP-T236MFC-L5915DWMFC-L6702DWHL-JF1HL-L5050DNMFC-L2730DNHL-L2440DWHL-L2460DWDCP-T220HL-T4000DWDocuPrint P268 dwDCP-L2550DNApeos 4620 SDFMFC-L5900DWMFC-L2710DWMFC-J6530DWMFC-L2885DWHL-B2150WDCP-L2541DWHL-L2460DNHL-L2351DWMFC-L2710DNRDCP-L2648DWMFC-1915WDCP-T439WDCP-J582NDCP-T720DWHL-2595DWMFC-L6912DWMFC-L2720DWFAX-L2800DWMFC-J6957DWMFC-L2800DWMFC-7895DWDocuPrint M378 dDCP-J526NMFC-B7811DWPT-P900WMFC-T810WMFC-L2712DWDCP-J1203NDCP-L2540DWMFC-L3745CDWTD-2350DMFC-J926N-WBMFC-L2807DWHL-L2350DWRDCP-L2508DWMFC-L3765CDWMFC-B7800DNMFC-L2720DNDCP-T735DWDCP-L2551DWHL-L6402DWMFC-L5912DWMFC-L6710DWHL-L2464DWMFC-L2750DWRMFC-L5755DW (Japan)MFC-L2732DWTD-4550DNWBMFC-T925DWDCP-L5610DNMFC-L6700DWMFC-L9610CDNHL-L2420DWHL-J7010CDWHL-EX470WHL-L2445DWMFC-L8610CDWDCP-L2520DWRHL-1210WRMFC-J6540DWEMFC-L2710DNMFC-L2740DWMFC-L2820DWDCP-L3550CDWMFC-L2960DWDCP-T425WMFC-J6983CDWDCP-C421WTD-2135NWBSADocuPrint P378 dDCP-B7638DNSP 230SFNwDCP-J972NHL-L5102DWMFC-L2922DWHL-L5215DWDCP-L2600DDCP-L2532DWMFC-J1800DW (USA)MFC-J6945DWDocuPrint P288 dwMFC-L3770CDW (Japan)DCP-L3528CDWMFC-L2886DWMFC-J5730DWMFC-L2750DWXLDCP-L8410CDWHL-L2315DWDCP-L3515CDWMFC-J895DWHL-L5100DNTQL-820NWBDocuPrint P285 dwMFC-J6580CDWDCP-L2627DWXLHL-L8360CDWHL-L6202DWDCP-J982N W/BMFC-J2730DWHL-L2371DNMFC-J739DNMFC-8540DNHL-L8240CDWHL-EX415DWMFC-L6970DWDCP-B7558WMFC-L6900DWGHL-L2365DWHL-L2465DWHL-B2188DWMFC-J1605DNMFC-J5830DWHL-L2400DWEHL-1222WEMFC-L2806DWHL-L2340DWRMFC-J3540DWFAX-L2710DNDCP-B7648DWMFC-8530DNMFC-J5930DWHL-L2461DNDCP-T525WMFC-J6959DWADS-3600WHL-L6415DWMFC-J739DWNMFC-L9635CDNRJ-2050HL-L8360CDWTDCP-L2627DWEDocuPrint P268 dMFC-L2740DW (Japan)MFC-J7300CDWHL-L6210DWDCP-J587NMFC-J5800CDWMFC-L2861DWHL-L2467DWDCP-T230HL-L2447DWMFC-J5855DWHL-1210WMFC-J1012DWMFC-J491DWHL-3160CDWMFC-J6535DWMFC-J903NDCP-L5510DWHL-L2350DWDCP-J987N-W/BHL-L2480DWMFC-L2880DWXLHL-L3288CDWMFC-L2805DWHL-1223WEDocuPrint M275 zMFC-J1205W(XL)DCP-T825DWMFC-1911WDCP-T830DWMFC-L2900DWXLMFC-J7500CDWMFC-L3740CDWHL-L3228CDWHL-J6100DWDCP-9030CDNMFC-J6935DWDocuPrint M115 zDCP-J4543NMFC-L5700DWMFC-J5845DW(XL)HL-L6450DWHL-L5100DNDCP-J987N W/BMFC-1919NWHL-L2325DWHL-L2360DNDCP-L3551CDWDCP-T535DWHL-L3280CDWMFC-J890DWMFC-L5710DNHL-L9430CDNDCP-L6600DWHL-L5210DN (Japan)MFC-B7720DNMFC-L2720DWRMFC-L2750DWMFC-J6940DWDCP-L3520CDWEHL-L2370DNHL-L3230CDWDocuPrint M375 zDCP-L5600DNDCP-J982N-W/BDocuPrint M385 zDocuPrint M235 zDCP-J572DWMFC-EX910HL-1212WEMFC-J4335DW(XL)ADS-2800WMFC-L5700DNDCP-T710W(China)DCP-L5518DNMFC-L6820DWApeosPrint 4620 SDN (For Asia-Pacific)MFC-L3730CDNHL-L6300DWTMFC-J6930DWHL-L5210DWbizhub 4020iMFC-L5902DWDocuPrint P378 dwDCP-1612WRHL-L2360DWMFC-L2715DWHL-L2370DWDCP-L2660DWMFC-L2713DWHL-B2180DWBMFC-J3930DWMFC-J6555DWXLMFC-L6915DNMFC-B7715DWHL-L6250DNHL-L2305WMFC-T920DWMFC-J2330DWMFC-J939DNMFC-L3710CDWDCP-L2551DNMFC-L8900CDWDCP-1623WRTD-2135NWBHL-L3215CWMFC-J5630CDWMFC-L2920DWHL-L3290CDWMFC-L2827DWXLDCP-T710WQL-1115NWBDCP-L5650DNMFC-L5710DW (Japan)DCP-L5662DNMFC-J4440NDocuPrint P385 dwMFC-J7100CDWDCP-J4140NHL-L2370DWXLHL-L2372DNDCP-B7658DWDCP-L5502DNMFC-L2716DWMFC-J805DWMFC-L2690DWMFC-J6730DWDCP-7190DNMFC-L2980DWDCP-J774DWMFC-L8690CDWMFC-J1800DW (Europe)DocuPrint M288 dwDCP-J1200WEMFC-L6810DWMFC-L6720DWHL-2569DWMFC-L2700DWRMFC-J5335DWDocuPrint M378 dfDCP-L2620DWMFC-L2835DWMFC-9350CDWHL-L2865DWDCP-J915NMFC-T4500DWMFC-J4540NHL-L2340DWQL-820NWBcMFC-EX670MFC-7880DNDocuPrint P360 dwDCP-L5652DNDCP-J528NDCP-T225DCP-L5512DNDCP-T520WMFC-J3530DWDocuPrint M115 fwMFC-L5718DNDCP-L2622DWHL-L2395DWMFC-J995DWXLHL-L8260CDNHL-L9470CDNHL-L6400DWTDCP-7090DWHL-L2360DNRMFC-L6900DW (Japan)MFC-L2700DNHL-L2386DWHL-L6418DWDCP-L2640DWHL-L2400DWMFC-L5717DWHL-L3220CWMFC-L2700DW (Asia)DCP-B7548WHL-L6200DWMFC-L5728DWMFC-J690DWMFC-L2685DWHL-L5210DW (Japan)HL-L1808WHL-L8245CDWMFC-L5702DWHL-5590DNMFC-J998DWNHL-2590DNDCP-L2535DW (China)MFC-L6800DWDCP-L2640DNHL-L6250DWHL-L6415DNFAX-L2700DNPT-P750WMFC-J5855DWXLMFC-J4540DW(XL)RJ-3150MFC-J5330DWMFC-J3940DWMFC-L2705DWHL-L2375DWHL-L2352DWDocuPrint P118 wHL-1212WRMFC-J6583CDWDCP-L3568CDWMFC-7889DWMFC-L2827DWMFC-J4345DWXLP 201WDocuPrint P388 dwMFC-L2712DNMFC-L8340CDWDCP-T430WMFC-J6980CDWMFC-L2770DWMFC-L3740CDWETD-2135NDCP-J978N W/BMFC-J5340DWHL-L8260CDWHL-L3295CDWApeosPrint 4620 SDWDCP-T510WDCP-J572NMFC-L2715DW (Taiwan/Korea/Hong Kong)HL-L2376DWDCP-1617NWDCP-7180DNDocuPrint P375 dDCP-T536DWDCP-T510W(China)DCP-L3517CDWMFC-L5802DWDCP-L5500DNHL-L6217DWMFC-L2703DWDocuPrint M268 zMFC-J6740DWMFC-J1500NDCP-T530DWDocuPrint P260 dwDCP-B7578DWMFC-7890DNHL-L3240CDWM 340FWMFC-J6997CDWMFC-J893NTD-2320DTD-2350DSAMFC-J6540DWHL-J6000CDWDCP-T428WMFC-L2805DW (Asia)TD-2135NSAHL-L5228DWMFC-L9630CDNMFC-B7810DWHL-L6412DWHL-L8230CDWDCP-L5602DNDCP-T420WRJ-3050HL-L2357DWDCP-L2628DWDCP-L1630WDCP-B7520DW (China)DCP-1616NWMFC-T910DWMFC-J4443NMFC-L3735CDNMFC-J5955DWDCP-T730DWHL-J6010DWDCP-L2518DWMFC-L2817DWDCP-L3510CDWHL-L3220CWEDCP-B7620DWBHL-L2405WHL-L2390DWDCP-T238MFC-L6900DWDCP-L3560CDWDCP-7195DWHL-L6415DWTDocuPrint P375 dwMFC-T935DWHL-B2100DHL-L2366DWMFC-J998DNMFC-L2771DWHL-1218WHL-L2475DWHL-L2361DNMFC-L5850DWHL-L6310DW (Japan)DCP-L2550DWMFC-L2710DWRDCP-L2680DWHL-5595DNHMFC-L9570CDWDCP-J1200NMFC-J5945DWMFC-J1215WDCP-L2665DWHL-1211WMFC-1912WRMFC-J5740DWDCP-L2548DWMFC-B7810DWBMFC-J4340DW(XL)DCP-B7535DWHL-L3300CDWMFC-L8395CDWMFC-J939DWNHL-L9310CDWDCP-L3555CDWbizhub 5000iMFC-9150CDNMFC-L5715DNDCP-J981NADS-2400NDCP-L2550DW (China)DCP-J1050DWDCP-T435WDCP-1610WRDCP-L2540DNRe-STUDIO301DNHL-B2181DWDCP-L2560DWApeos 4620 SZDCP-J1800NDCP-J577NMFC-L8390CDWHL-L3230CDNHL-L6200DWTMFC-J4940DNMFC-L2680WHL-L3220CDWHL-L3210CWMFC-J2740DWTD-2320DSADocuPrint P265 dwDCP-1622WEMFC-L2802DNMFC-1911NWHL-L6400DWMFC-L2860DWSP-1MFC-L2730DWMFC-L5755DWHL-L2375DWRMFC-J995DWbizhub 5020iMFC-J905NDCP-B7640DWBMFC-J4440DW
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2019-17669
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-5.24% / 91.52%
||
7 Day CHG~0.00%
Published-17 Oct, 2019 | 12:03
Updated-05 Aug, 2024 | 01:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

WordPress before 5.2.4 has a Server Side Request Forgery (SSRF) vulnerability because URL validation does not consider the interpretation of a name as a series of hex characters.

Action-Not Available
Vendor-n/aDebian GNU/LinuxWordPress.org
Product-wordpressdebian_linuxn/a
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2023-43654
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-10||CRITICAL
EPSS-35.26% / 98.24%
||
7 Day CHG~0.00%
Published-28 Sep, 2023 | 22:10
Updated-13 Feb, 2025 | 17:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
TorchServe Server-Side Request Forgery

TorchServe is a tool for serving and scaling PyTorch models in production. TorchServe default configuration lacks proper input validation, enabling third parties to invoke remote HTTP download requests and write files to the disk. This issue could be taken advantage of to compromise the integrity of the system and sensitive data. This issue is present in versions 0.1.0 to 0.8.1. A user is able to load the model of their choice from any URL that they would like to use. The user of TorchServe is responsible for configuring both the allowed_urls and specifying the model URL to be used. A pull request to warn the user when the default value for allowed_urls is used has been merged in PR #2534. TorchServe release 0.8.2 includes this change. Users are advised to upgrade. There are no known workarounds for this issue.

Action-Not Available
Vendor-pytorchpytorchpytorch
Product-torchserveservetorchserve
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2026-43995
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.40% / 31.58%
||
7 Day CHG~0.00%
Published-11 May, 2026 | 17:49
Updated-20 May, 2026 | 18:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Flowise: SSRF Protection Bypass via Direct node-fetch / axios Usage (Patch Enforcement Failure)

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, multiple tool implementations directly import and invoke raw HTTP clients (node-fetch, axios) instead of using the secured wrapper. These tools include (1) OpenAPIToolkit/OpenAPIToolkit.ts, (2) WebScraperTool/WebScraperTool.ts, (3) MCP/core.ts, and (4) Arxiv/core.ts. This vulnerability is fixed in 3.1.0.

Action-Not Available
Vendor-flowiseaiFlowiseAI
Product-flowiseFlowise
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2026-44335
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.7||HIGH
EPSS-0.38% / 29.82%
||
7 Day CHG~0.00%
Published-08 May, 2026 | 13:26
Updated-08 May, 2026 | 19:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SSRF bypass in PraisonAI

PraisonAI is a multi-agent teams system. Prior to version 1.6.32, the URL checking logic in PraisonAI has a logical flaw that could be bypassed by attackers, leading to SSRF attacks. This issue has been patched in version 1.6.32.

Action-Not Available
Vendor-praisonMervinPraison
Product-praisonaiagentsPraisonAI
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2025-62207
Matching Score-4
Assigner-Microsoft Corporation
ShareView Details
Matching Score-4
Assigner-Microsoft Corporation
CVSS Score-8.6||HIGH
EPSS-0.62% / 45.45%
||
7 Day CHG~0.00%
Published-20 Nov, 2025 | 22:18
Updated-26 Feb, 2026 | 16:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Azure Monitor Elevation of Privilege Vulnerability

Azure Monitor Elevation of Privilege Vulnerability

Action-Not Available
Vendor-Microsoft Corporation
Product-azure_monitorAzure Monitor Control Service
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2026-42592
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.19% / 8.36%
||
7 Day CHG~0.00%
Published-14 May, 2026 | 15:30
Updated-18 May, 2026 | 13:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Gotenberg: DNS rebinding bypasses SSRF validation on Chromium URL conversion routes

Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, FilterOutboundURL resolves the hostname, checks the resolved IPs against the private-address deny-list, and returns only the error. It discards the resolved addresses. Chromium later performs its own DNS resolution when it navigates to the URL. An attacker who controls DNS for a hostname with a short TTL returns a public IP on the first query (Gotenberg allows) and a private IP on the second query (Chromium connects to the attacker-chosen internal address). The CDP Fetch.requestPaused handler re-checks the URL but runs its own DNS resolution, leaving a timing window before Chromium's actual TCP connect. The rendered internal service response returns to the caller as a PDF. This vulnerability is fixed in 8.32.0.

Action-Not Available
Vendor-thecodingmachinegotenberg
Product-gotenberggotenberg
CWE ID-CWE-367
Time-of-check Time-of-use (TOCTOU) Race Condition
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2026-41423
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.7||HIGH
EPSS-0.26% / 16.91%
||
7 Day CHG~0.00%
Published-08 May, 2026 | 13:06
Updated-12 May, 2026 | 14:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Angular: SSRF via protocol-relative and backslash URLs in Angular Platform-Server

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions 19.2.21, 20.3.19, 21.2.9, and 22.0.0-next.8, a Server-Side Request Forgery (SSRF) vulnerability exists in @angular/platform-server due to improper handling of URLs during Server-Side Rendering (SSR). When an attacker sends a request such as GET /\evil.com/ HTTP/1.1 the server engine (Express, etc.) passes the URL string to Angular’s rendering functions. Because the URL parser normalizes the backslash to a forward slash for HTTP/HTTPS schemes, the internal state of the application is hijacked to believe the current origin is evil.com. This misinterpretation tricks the application into treating the attacker’s domain as the local origin. Consequently, any relative HttpClient requests or PlatformLocation.hostname references are redirected to the attacker controlled server, potentially exposing internal APIs or metadata services. This issue has been patched in versions 19.2.21, 20.3.19, 21.2.9, and 22.0.0-next.8.

Action-Not Available
Vendor-angularangular
Product-angularangular
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2019-18355
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.51% / 71.40%
||
7 Day CHG~0.00%
Published-23 Oct, 2019 | 18:38
Updated-05 Aug, 2024 | 01:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An SSRF issue was discovered in the legacy Web launcher in Thycotic Secret Server before 10.7.

Action-Not Available
Vendor-thycoticn/a
Product-secret_servern/a
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2019-17670
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-4.51% / 90.35%
||
7 Day CHG~0.00%
Published-17 Oct, 2019 | 00:00
Updated-05 Aug, 2024 | 01:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

WordPress before 5.2.4 has a Server Side Request Forgery (SSRF) vulnerability because Windows paths are mishandled during certain validation of relative URLs.

Action-Not Available
Vendor-n/aDebian GNU/LinuxWordPress.org
Product-wordpressdebian_linuxn/a
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2026-34084
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-9.2||CRITICAL
EPSS-0.71% / 49.10%
||
7 Day CHG~0.00%
Published-05 May, 2026 | 19:22
Updated-08 May, 2026 | 17:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
PhpSpreadsheet SSRF and RCE via PHP stream wrappers in IOFactory::load

PhpSpreadsheet is a library for reading and writing spreadsheet files. In versions 1.30.2 and earlier, 2.0.0 through 2.1.14, 2.2.0 through 2.4.3, 3.3.0 through 3.10.3, and 4.0.0 through 5.5.0, when the filename argument to IOFactory::load() is user-controlled, an attacker can supply a PHP stream wrapper path (such as phar://, ftp://, or ssh2.sftp://) that passes the is_file() check in File::assertFile(). The phar:// wrapper triggers deserialization of the PHAR metadata, which can lead to remote code execution if a suitable gadget chain is available in the application. The ftp:// and ssh2.sftp:// wrappers can be used for server-side request forgery. This issue has been fixed in versions 1.30.3, 2.1.15, 2.4.4, 3.10.4, and 5.6.0.

Action-Not Available
Vendor-PHPOffice
Product-phpspreadsheetPhpSpreadsheet
CWE ID-CWE-502
Deserialization of Untrusted Data
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2017-17674
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-2.57% / 83.28%
||
7 Day CHG~0.00%
Published-19 May, 2021 | 13:10
Updated-05 Aug, 2024 | 20:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

BMC Remedy Mid Tier 9.1SP3 is affected by remote and local file inclusion. Due to the lack of restrictions on what can be targeted, the system can be vulnerable to attacks such as system fingerprinting, internal port scanning, Server Side Request Forgery (SSRF), or remote code execution (RCE).

Action-Not Available
Vendor-bmcn/a
Product-remedy_mid-tiern/a
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
  • Previous
  • 1
  • 2
  • 3
  • ...
  • 7
  • 8
  • Next
Details not found