Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-15317

Summary
Assigner-VulDB
Assigner Org ID-1af790b2-7ee1-4545-860a-a788eba489b5
Published At-10 Jul, 2026 | 00:00
Updated At-14 Jul, 2026 | 01:26
Rejected At-
Credits

Sipeed PicoClaw Guarded Web Fetch Flow web.go WebFetchTool.Execute server-side request forgery

A security flaw has been discovered in Sipeed PicoClaw up to 0.2.9. Affected by this vulnerability is the function WebFetchTool.Execute of the file pkg/tools/integration/web.go of the component Guarded Web Fetch Flow. The manipulation results in server-side request forgery. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks. The reported GitHub issue was closed automatically due to inactivity.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
â–¼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:VulDB
Assigner Org ID:1af790b2-7ee1-4545-860a-a788eba489b5
Published At:10 Jul, 2026 | 00:00
Updated At:14 Jul, 2026 | 01:26
Rejected At:
â–¼CVE Numbering Authority (CNA)
Sipeed PicoClaw Guarded Web Fetch Flow web.go WebFetchTool.Execute server-side request forgery

A security flaw has been discovered in Sipeed PicoClaw up to 0.2.9. Affected by this vulnerability is the function WebFetchTool.Execute of the file pkg/tools/integration/web.go of the component Guarded Web Fetch Flow. The manipulation results in server-side request forgery. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks. The reported GitHub issue was closed automatically due to inactivity.

Affected Products
Vendor
Sipeed
Product
PicoClaw
CPEs
  • cpe:2.3:a:sipeed:picoclaw:*:*:*:*:*:*:*:*
Modules
  • Guarded Web Fetch Flow
Versions
Affected
  • 0.2.0
  • 0.2.1
  • 0.2.2
  • 0.2.3
  • 0.2.4
  • 0.2.5
  • 0.2.6
  • 0.2.7
  • 0.2.8
  • 0.2.9
Problem Types
TypeCWE IDDescription
CWECWE-918Server-Side Request Forgery
Type: CWE
CWE ID: CWE-918
Description: Server-Side Request Forgery
Metrics
VersionBase scoreBase severityVector
4.05.3MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
3.16.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R
3.06.3MEDIUM
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R
2.07.5N/A
AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR
Version: 4.0
Base score: 5.3
Base severity: MEDIUM
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
Version: 3.1
Base score: 6.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R
Version: 3.0
Base score: 6.3
Base severity: MEDIUM
Vector:
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R
Version: 2.0
Base score: 7.5
Base severity: N/A
Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

reporter
Eric-d (VulDB User)
coordinator
VulDB CNA Team
Timeline
EventDate
Advisory disclosed2026-07-09 00:00:00
VulDB entry created2026-07-09 02:00:00
VulDB entry last update2026-07-09 20:12:45
Event: Advisory disclosed
Date: 2026-07-09 00:00:00
Event: VulDB entry created
Date: 2026-07-09 02:00:00
Event: VulDB entry last update
Date: 2026-07-09 20:12:45
Replaced By

Rejected Reason

References
HyperlinkResource
https://vuldb.com/vuln/377257
vdb-entry
technical-description
https://vuldb.com/vuln/377257/cti
signature
permissions-required
https://vuldb.com/cve/CVE-2026-15317
third-party-advisory
https://vuldb.com/submit/852877
third-party-advisory
https://github.com/sipeed/picoclaw/issues/3078
exploit
issue-tracking
https://github.com/sipeed/picoclaw/
product
Hyperlink: https://vuldb.com/vuln/377257
Resource:
vdb-entry
technical-description
Hyperlink: https://vuldb.com/vuln/377257/cti
Resource:
signature
permissions-required
Hyperlink: https://vuldb.com/cve/CVE-2026-15317
Resource:
third-party-advisory
Hyperlink: https://vuldb.com/submit/852877
Resource:
third-party-advisory
Hyperlink: https://github.com/sipeed/picoclaw/issues/3078
Resource:
exploit
issue-tracking
Hyperlink: https://github.com/sipeed/picoclaw/
Resource:
product
â–¼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
Information is not available yet
â–¼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cna@vuldb.com
Published At:10 Jul, 2026 | 00:16
Updated At:14 Jul, 2026 | 02:16

A security flaw has been discovered in Sipeed PicoClaw up to 0.2.9. Affected by this vulnerability is the function WebFetchTool.Execute of the file pkg/tools/integration/web.go of the component Guarded Web Fetch Flow. The manipulation results in server-side request forgery. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks. The reported GitHub issue was closed automatically due to inactivity.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.02.1LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Secondary3.16.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
Secondary2.07.5HIGH
AV:N/AC:L/Au:N/C:P/I:P/A:P
N/A
Type: Secondary
Version: 4.0
Base score: 2.1
Base severity: LOW
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Type: Secondary
Version: 3.1
Base score: 6.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
Type: Secondary
Version: 2.0
Base score: 7.5
Base severity: HIGH
Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P
Type: N/A
Version:
Base score:
Base severity: N/A
Vector:
CPE Matches

Weaknesses
CWE IDTypeSource
CWE-918Secondarycna@vuldb.com
CWE ID: CWE-918
Type: Secondary
Source: cna@vuldb.com
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://github.com/sipeed/picoclaw/cna@vuldb.com
N/A
https://github.com/sipeed/picoclaw/issues/3078cna@vuldb.com
N/A
https://vuldb.com/cve/CVE-2026-15317cna@vuldb.com
N/A
https://vuldb.com/submit/852877cna@vuldb.com
N/A
https://vuldb.com/vuln/377257cna@vuldb.com
N/A
https://vuldb.com/vuln/377257/cticna@vuldb.com
N/A
Hyperlink: https://github.com/sipeed/picoclaw/
Source: cna@vuldb.com
Resource: N/A
Hyperlink: https://github.com/sipeed/picoclaw/issues/3078
Source: cna@vuldb.com
Resource: N/A
Hyperlink: https://vuldb.com/cve/CVE-2026-15317
Source: cna@vuldb.com
Resource: N/A
Hyperlink: https://vuldb.com/submit/852877
Source: cna@vuldb.com
Resource: N/A
Hyperlink: https://vuldb.com/vuln/377257
Source: cna@vuldb.com
Resource: N/A
Hyperlink: https://vuldb.com/vuln/377257/cti
Source: cna@vuldb.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

171Records found

CVE-2024-31215
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-6.3||MEDIUM
EPSS-0.51% / 40.08%
||
7 Day CHG~0.00%
Published-04 Apr, 2024 | 16:10
Updated-30 Jun, 2025 | 13:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Mobile Security Framework (MobSF) vulnerable to Server-Side Request Forgery (SSRF) in firebase database check

Mobile Security Framework (MobSF) is a security research platform for mobile applications in Android, iOS and Windows Mobile. A SSRF vulnerability in firebase database check logic. The attacker can cause the server to make a connection to internal-only services within the organization’s infrastructure. When a malicious app is uploaded to Static analyzer, it is possible to make internal requests. This vulnerability has been patched in version 3.9.8.

Action-Not Available
Vendor-Mobile Security Framework (MobSF)
Product-mobile_security_frameworkMobile-Security-Framework-MobSF
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2004-2061
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-5.70% / 92.15%
||
7 Day CHG~0.00%
Published-10 May, 2005 | 04:00
Updated-16 Apr, 2026 | 00:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

RiSearch 1.0.01 and RiSearch Pro 3.2.06 allows remote attackers to use the show.pl script as an open proxy, or read arbitrary local files, by setting the url parameter to a (1) http://, (2) ftp://, or (3) file:// URL.

Action-Not Available
Vendor-risearchn/a
Product-risearch_prorisearchn/a
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2017-0889
Matching Score-4
Assigner-HackerOne
ShareView Details
Matching Score-4
Assigner-HackerOne
CVSS Score-9.8||CRITICAL
EPSS-3.05% / 86.09%
||
7 Day CHG~0.00%
Published-13 Nov, 2017 | 17:00
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Paperclip ruby gem version 3.1.4 and later suffers from a Server-SIde Request Forgery (SSRF) vulnerability in the Paperclip::UriAdapter class. Attackers may be able to access information about internal network resources.

Action-Not Available
Vendor-thoughtbotthoughtbot
Product-paperclippaperclip ruby gem
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2017-0906
Matching Score-4
Assigner-HackerOne
ShareView Details
Matching Score-4
Assigner-HackerOne
CVSS Score-9.8||CRITICAL
EPSS-2.59% / 83.58%
||
7 Day CHG~0.00%
Published-13 Nov, 2017 | 17:00
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Recurly Client Python Library before 2.0.5, 2.1.16, 2.2.22, 2.3.1, 2.4.5, 2.5.1, 2.6.2 is vulnerable to a Server-Side Request Forgery vulnerability in the "Resource.get" method that could result in compromise of API keys or other critical resources.

Action-Not Available
Vendor-recurlyRecurly
Product-recurly_client_pythonrecurly python module
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2020-24140
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.3||HIGH
EPSS-1.16% / 63.47%
||
7 Day CHG~0.00%
Published-07 Apr, 2021 | 15:04
Updated-04 Aug, 2024 | 15:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Server-side request forgery in Wcms 0.3.2 let an attacker send crafted requests from the back-end server of a vulnerable web application via the pagename parameter to wex/html.php. It can help identify open ports, local network hosts and execute command on local services.

Action-Not Available
Vendor-wcmsn/a
Product-wcmsn/a
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2017-1000237
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.57% / 72.58%
||
7 Day CHG~0.00%
Published-17 Nov, 2017 | 04:00
Updated-05 Dec, 2025 | 20:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

I, Librarian version <=4.6 & 4.7 is vulnerable to Server-Side Request Forgery in the ajaxsupplement.php resulting in the attacker being able to reset any user's password.

Action-Not Available
Vendor-scilicon/a
Product-i\,_librariann/a
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2017-0907
Matching Score-4
Assigner-HackerOne
ShareView Details
Matching Score-4
Assigner-HackerOne
CVSS Score-9.8||CRITICAL
EPSS-2.59% / 83.58%
||
7 Day CHG~0.00%
Published-13 Nov, 2017 | 17:00
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Recurly Client .NET Library before 1.0.1, 1.1.10, 1.2.8, 1.3.2, 1.4.14, 1.5.3, 1.6.2, 1.7.1, 1.8.1 is vulnerable to a Server-Side Request Forgery vulnerability due to incorrect use of "Uri.EscapeUriString" that could result in compromise of API keys or other critical resources.

Action-Not Available
Vendor-recurlyRecurly
Product-recurly_client_.netrecurly-api-client .NET library
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2017-0905
Matching Score-4
Assigner-HackerOne
ShareView Details
Matching Score-4
Assigner-HackerOne
CVSS Score-9.8||CRITICAL
EPSS-2.59% / 83.58%
||
7 Day CHG~0.00%
Published-13 Nov, 2017 | 17:00
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Recurly Client Ruby Library before 2.0.13, 2.1.11, 2.2.5, 2.3.10, 2.4.11, 2.5.4, 2.6.3, 2.7.8, 2.8.2, 2.9.2, 2.10.4, 2.11.3 is vulnerable to a Server-Side Request Forgery vulnerability in the "Resource#find" method that could result in compromise of API keys or other critical resources.

Action-Not Available
Vendor-recurlyRecurly
Product-recurly_client_rubyrecurly ruby gem
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2026-3026
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.35% / 27.42%
||
7 Day CHG~0.00%
Published-23 Feb, 2026 | 20:02
Updated-25 Feb, 2026 | 15:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
erzhongxmu JEEWMS UEditor getRemoteImage.jsp server-side request forgery

A vulnerability has been found in erzhongxmu JEEWMS 3.7. Affected by this issue is some unknown functionality of the file /plug-in/ueditor/jsp/getRemoteImage.jsp of the component UEditor. The manipulation of the argument upfile leads to server-side request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-jeewmserzhongxmu
Product-jeewmsJEEWMS
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2020-15822
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.3||HIGH
EPSS-1.41% / 69.56%
||
7 Day CHG+0.02%
Published-19 Oct, 2020 | 18:45
Updated-04 Aug, 2024 | 13:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In JetBrains YouTrack before 2020.2.10514, SSRF is possible because URL filtering can be escaped.

Action-Not Available
Vendor-n/aJetBrains s.r.o.
Product-youtrackn/a
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2002-1484
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-13.66% / 96.06%
||
7 Day CHG~0.00%
Published-18 Mar, 2003 | 05:00
Updated-16 Apr, 2026 | 00:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

DB4Web server, when configured to use verbose debug messages, allows remote attackers to use DB4Web as a proxy and attempt TCP connections to other systems (port scan) via a request for a URL that specifies the target IP address and port, which produces a connection status in the resulting error message.

Action-Not Available
Vendor-n/aSiemens AG
Product-db4webn/a
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2020-10980
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.82% / 76.35%
||
7 Day CHG~0.00%
Published-08 Apr, 2020 | 18:05
Updated-04 Aug, 2024 | 11:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

GitLab EE/CE 8.0.rc1 to 12.9 is vulnerable to a blind SSRF in the FogBugz integration.

Action-Not Available
Vendor-n/aGitLab Inc.
Product-gitlabn/a
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2026-15619
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.25% / 16.55%
||
7 Day CHG~0.00%
Published-14 Jul, 2026 | 00:00
Updated-15 Jul, 2026 | 15:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
mosaxiv clawlet IPv4 tool_web_fetch.go web_fetch server-side request forgery

A weakness has been identified in mosaxiv clawlet up to 0.2.10. The impacted element is the function web_fetch of the file tools/tool_web_fetch.go of the component IPv4 Handler. This manipulation of the argument url causes server-side request forgery. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. The reported GitHub issue was closed with the label "not planned".

Action-Not Available
Vendor-mosaxiv
Product-clawlet
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2026-16016
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.29% / 20.78%
||
7 Day CHG~0.00%
Published-17 Jul, 2026 | 13:30
Updated-17 Jul, 2026 | 16:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
poco-ai poco-claw task.py run_task server-side request forgery

A vulnerability was identified in poco-ai poco-claw up to 0.5.4. This issue affects the function run_task of the file executor/app/api/v1/task.py. The manipulation of the argument callback_url leads to server-side request forgery. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. The reported GitHub issue was closed automatically due to inactivity.

Action-Not Available
Vendor-poco-ai
Product-poco-claw
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2020-10212
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.48% / 71.02%
||
7 Day CHG~0.00%
Published-06 Mar, 2020 | 23:30
Updated-04 Aug, 2024 | 10:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

upload.php in Responsive FileManager 9.13.4 and 9.14.0 allows SSRF via the url parameter because file-extension blocking is mishandled and because it is possible for a DNS hostname to resolve to an internal IP address. For example, an SSRF attempt may succeed if a .ico filename is added to the PATH_INFO. Also, an attacker could create a DNS hostname that resolves to the 0.0.0.0 IP address for DNS pinning. NOTE: this issue exists because of an incomplete fix for CVE-2018-14728.

Action-Not Available
Vendor-tecrailn/a
Product-responsive_filemanagern/a
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2026-15750
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.23% / 13.40%
||
7 Day CHG~0.00%
Published-14 Jul, 2026 | 21:30
Updated-15 Jul, 2026 | 13:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
mastergo-design mastergo-magic-mcp mcp__getComponentLink get-component-link.ts z.string server-side request forgery

A weakness has been identified in mastergo-design mastergo-magic-mcp up to 0.2.0. Impacted is the function z.string of the file src/tools/get-component-link.ts of the component mcp__getComponentLink. Executing a manipulation of the argument url can lead to server-side request forgery. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.

Action-Not Available
Vendor-mastergo-design
Product-mastergo-magic-mcp
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2026-15330
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.35% / 27.47%
||
7 Day CHG~0.00%
Published-10 Jul, 2026 | 04:00
Updated-10 Jul, 2026 | 21:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
zhayujie CowAgent Vision Tool vision.py _download_to_data_url server-side request forgery

A vulnerability was determined in zhayujie CowAgent up to 2.1.1. Impacted is the function _build_image_content/_download_to_data_url of the file agent/tools/vision/vision.py of the component Vision Tool. Executing a manipulation of the argument image can lead to server-side request forgery. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. Upgrading to version 2.1.2 is recommended to address this issue. This patch is called e85290cddcbb5ffc9c235927f4c92e5b4c3ec264. Upgrading the affected component is advised.

Action-Not Available
Vendor-zhayujie
Product-CowAgent
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2024-0510
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-7.3||HIGH
EPSS-0.88% / 55.09%
||
7 Day CHG~0.00%
Published-13 Jan, 2024 | 22:00
Updated-04 Nov, 2025 | 19:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HaoKeKeJi YiQiNiu Api.php http_post server-side request forgery

A vulnerability, which was classified as critical, has been found in HaoKeKeJi YiQiNiu up to 3.1. Affected by this issue is the function http_post of the file /application/pay/controller/Api.php. The manipulation of the argument url leads to server-side request forgery. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-250652.

Action-Not Available
Vendor-haokekejiHaoKeKeJi
Product-yiqiniuYiQiNiu
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2024-0946
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-7.3||HIGH
EPSS-0.62% / 45.76%
||
7 Day CHG~0.00%
Published-26 Jan, 2024 | 21:00
Updated-03 Jun, 2025 | 17:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
60IndexPage Parameter index.php server-side request forgery

A vulnerability classified as critical was found in 60IndexPage up to 1.8.5. This vulnerability affects unknown code of the file /apply/index.php of the component Parameter Handler. The manipulation of the argument url leads to server-side request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-252190 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-60indexpage_projectn/a
Product-60indexpage60IndexPage
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2026-11437
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.41% / 33.12%
||
7 Day CHG~0.00%
Published-06 Jun, 2026 | 16:30
Updated-08 Jun, 2026 | 14:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
perfree go-fastdfs-web Installation Endpoint checkServer server-side request forgery

A flaw has been found in perfree go-fastdfs-web up to 1.3.7. Affected is the function checkServer of the file /install/checkServer of the component Installation Endpoint. Executing a manipulation can lead to server-side request forgery. The attack can be executed remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-perfree
Product-go-fastdfs-web
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2026-10771
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.29% / 21.35%
||
7 Day CHG~0.00%
Published-03 Jun, 2026 | 21:30
Updated-04 Jun, 2026 | 13:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
crmeb crmeb_java base64 Qrcode Endpoint RestTemplateUtil.java RestTemplate.getForEntity server-side request forgery

A vulnerability was found in crmeb crmeb_java 1.4. Affected is the function RestTemplate.getForEntity of the file crmeb-common/src/main/java/com/zbkj/common/utils/RestTemplateUtil.java of the component base64 Qrcode Endpoint. The manipulation of the argument url results in server-side request forgery. The attack can be executed remotely. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.

Action-Not Available
Vendor-crmeb
Product-crmeb_java
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2026-10287
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.29% / 21.35%
||
7 Day CHG~0.00%
Published-01 Jun, 2026 | 19:45
Updated-02 Jun, 2026 | 15:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SourceCodester SEO Meta Tag Extractor index.php get_headers server-side request forgery

A vulnerability was determined in SourceCodester SEO Meta Tag Extractor 1.0. This vulnerability affects the function get_headers of the file /index.php. This manipulation of the argument url causes server-side request forgery. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized.

Action-Not Available
Vendor-SourceCodester
Product-SEO Meta Tag Extractor
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2026-10068
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.28% / 19.79%
||
7 Day CHG~0.00%
Published-29 May, 2026 | 15:45
Updated-29 May, 2026 | 18:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Shibby Tomato SUBSCRIBE Call miniupnpd send server-side request forgery

A flaw has been found in Shibby Tomato 1.28. The affected element is the function send of the file usr/sbin/miniupnpd of the component SUBSCRIBE Call Handler. This manipulation causes server-side request forgery. The attack may be initiated remotely. This project is superseded by FreshTomato. This vulnerability only affects products that are no longer supported by the maintainer.

Action-Not Available
Vendor-Shibby
Product-Tomato
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2026-10280
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.30% / 22.44%
||
7 Day CHG~0.00%
Published-01 Jun, 2026 | 18:00
Updated-02 Jun, 2026 | 15:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
horizon921 mcpilot MCP API Call Endpoint route.ts server-side request forgery

A security flaw has been discovered in horizon921 mcpilot 0.1.0. The impacted element is an unknown function of the file client/src/app/api/mcp/call/route.ts of the component MCP API Call Endpoint. The manipulation of the argument serverBaseUrl results in server-side request forgery. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.

Action-Not Available
Vendor-horizon921
Product-mcpilot
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2019-18355
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.51% / 71.66%
||
7 Day CHG~0.00%
Published-23 Oct, 2019 | 18:38
Updated-05 Aug, 2024 | 01:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An SSRF issue was discovered in the legacy Web launcher in Thycotic Secret Server before 10.7.

Action-Not Available
Vendor-thycoticn/a
Product-secret_servern/a
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2019-14704
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.93% / 77.70%
||
7 Day CHG~0.00%
Published-06 Aug, 2019 | 22:24
Updated-05 Aug, 2024 | 00:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An SSRF issue was discovered in HTTPD on MicroDigital N-series cameras with firmware through 6400.0.8.5 via FTP commands following a newline character in the uploadfile field.

Action-Not Available
Vendor-microdigitaln/a
Product-mdc-n4090mdc-n4090w_firmwaremdc-n2190v_firmwaremdc-n2190vmdc-n4090wmdc-n4090_firmwaren/a
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2019-11066
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.51% / 71.66%
||
7 Day CHG~0.00%
Published-10 May, 2019 | 19:18
Updated-04 Aug, 2024 | 22:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

openid.php in LightOpenID through 1.3.1 allows SSRF via a crafted OpenID 2.0 assertion request using the HTTP GET method.

Action-Not Available
Vendor-lightopenid_projectn/a
Product-lightopenidn/a
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2013-4864
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-6.31% / 92.82%
||
7 Day CHG~0.00%
Published-28 Jan, 2020 | 16:09
Updated-06 Aug, 2024 | 16:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

MiCasaVerde VeraLite with firmware 1.5.408 allows remote attackers to send HTTP requests to intranet servers via the url parameter to cgi-bin/cmh/proxy.sh, related to a Server-Side Request Forgery (SSRF) issue.

Action-Not Available
Vendor-micasaverden/a
Product-veraliteveralite_firmwaren/a
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2022-2216
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-9.4||CRITICAL
EPSS-1.54% / 72.19%
||
7 Day CHG+0.01%
Published-27 Jun, 2022 | 12:10
Updated-03 Aug, 2024 | 00:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Server-Side Request Forgery (SSRF) in ionicabizau/parse-url

Server-Side Request Forgery (SSRF) in GitHub repository ionicabizau/parse-url prior to 7.0.0.

Action-Not Available
Vendor-parse-url_projectionicabizau
Product-parse-urlionicabizau/parse-url
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2022-1386
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-9.8||CRITICAL
EPSS-71.72% / 99.35%
||
7 Day CHG~0.00%
Published-16 May, 2022 | 14:30
Updated-03 Aug, 2024 | 00:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Fusion Builder < 3.6.2 - Unauthenticated SSRF

The Fusion Builder WordPress plugin before 3.6.2, used in the Avada theme, does not validate a parameter in its forms which could be used to initiate arbitrary HTTP requests. The data returned is then reflected back in the application's response. This could be used to interact with hosts on the server's local network bypassing firewalls and access control measures.

Action-Not Available
Vendor-UnknownAvada (ThemeFusion)
Product-avadafusion_builderFusion Builder
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2018-14514
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.63% / 73.51%
||
7 Day CHG~0.00%
Published-23 Jul, 2018 | 08:00
Updated-05 Aug, 2024 | 09:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An SSRF vulnerability was discovered in idreamsoft iCMS V7.0.9 that allows attackers to read sensitive files, access an intranet, or possibly have unspecified other impact.

Action-Not Available
Vendor-icmsdevn/a
Product-icmsn/a
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2018-14728
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-76.51% / 99.49%
||
7 Day CHG~0.00%
Published-03 Aug, 2018 | 18:00
Updated-05 Aug, 2024 | 09:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

upload.php in Responsive FileManager 9.13.1 allows SSRF via the url parameter.

Action-Not Available
Vendor-tecrailn/a
Product-responsive_filemanagern/a
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2022-0767
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-9.1||CRITICAL
EPSS-0.96% / 57.66%
||
7 Day CHG~0.00%
Published-07 Mar, 2022 | 07:05
Updated-19 Nov, 2024 | 13:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Server-Side Request Forgery (SSRF) in janeczku/calibre-web

Server-Side Request Forgery (SSRF) in GitHub repository janeczku/calibre-web prior to 0.6.17.

Action-Not Available
Vendor-janeczkujaneczku
Product-calibre-webjaneczku/calibre-web
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2022-0766
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-6.5||MEDIUM
EPSS-1.28% / 66.89%
||
7 Day CHG~0.00%
Published-07 Mar, 2022 | 07:05
Updated-19 Nov, 2024 | 13:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Server-Side Request Forgery (SSRF) in janeczku/calibre-web

Server-Side Request Forgery (SSRF) in GitHub repository janeczku/calibre-web prior to 0.6.17.

Action-Not Available
Vendor-janeczkujaneczku
Product-calibre-webjaneczku/calibre-web
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2022-0339
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-6.5||MEDIUM
EPSS-0.95% / 57.41%
||
7 Day CHG~0.00%
Published-30 Jan, 2022 | 13:17
Updated-19 Nov, 2024 | 13:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Server-Side Request Forgery (SSRF) in janeczku/calibre-web

Server-Side Request Forgery (SSRF) in Pypi calibreweb prior to 0.6.16.

Action-Not Available
Vendor-janeczkujaneczku
Product-calibre-webjaneczku/calibre-web
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2018-1000124
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-10||CRITICAL
EPSS-1.83% / 76.49%
||
7 Day CHG~0.00%
Published-13 Mar, 2018 | 21:00
Updated-05 Dec, 2025 | 20:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

I Librarian I-librarian version 4.8 and earlier contains a XML External Entity (XXE) vulnerability in line 154 of importmetadata.php(simplexml_load_string) that can result in an attacker reading the contents of a file and SSRF. This attack appear to be exploitable via posting xml in the Parameter form_import_textarea.

Action-Not Available
Vendor-scilicon/a
Product-i\,_librariann/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2017-9458
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-2.46% / 82.67%
||
7 Day CHG~0.00%
Published-07 Sep, 2017 | 13:00
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

XML external entity (XXE) vulnerability in the GlobalProtect internal and external gateway interface in Palo Alto Networks PAN-OS before 6.1.18, 7.0.x before 7.0.17, 7.1.x before 7.1.12, and 8.0.x before 8.0.3 allows remote attackers to obtain sensitive information, cause a denial of service, or conduct server-side request forgery (SSRF) attacks via unspecified vectors.

Action-Not Available
Vendor-n/aPalo Alto Networks, Inc.
Product-pan-osn/a
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2019-3905
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-10||CRITICAL
EPSS-3.29% / 87.09%
||
7 Day CHG~0.00%
Published-03 Jan, 2019 | 18:00
Updated-30 May, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Zoho ManageEngine ADSelfService Plus 5.x before build 5703 has SSRF.

Action-Not Available
Vendor-n/aZoho Corporation Pvt. Ltd.
Product-manageengine_adselfservice_plusn/a
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2022-0086
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-8.2||HIGH
EPSS-1.21% / 64.89%
||
7 Day CHG~0.00%
Published-04 Jan, 2022 | 17:15
Updated-02 Aug, 2024 | 23:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Server-Side Request Forgery (SSRF) in transloadit/uppy

uppy is vulnerable to Server-Side Request Forgery (SSRF)

Action-Not Available
Vendor-transloadittransloadit
Product-uppytransloadit/uppy
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2021-44659
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-2.52% / 83.09%
||
7 Day CHG~0.00%
Published-22 Dec, 2021 | 17:27
Updated-04 Aug, 2024 | 05:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Adding a new pipeline in GoCD server version 21.3.0 has a functionality that could be abused to do an un-intended action in order to achieve a Server Side Request Forgery (SSRF). NOTE: the vendor's position is that the observed behavior is not a vulnerability, because the product's design allows an admin to configure outbound requests

Action-Not Available
Vendor-thoughtworksn/a
Product-gocdn/a
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2021-41403
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-17.64% / 96.81%
||
7 Day CHG~0.00%
Published-15 Jun, 2022 | 21:11
Updated-04 Aug, 2024 | 03:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

flatCore-CMS version 2.0.8 calls dangerous functions, causing server-side request forgery vulnerabilities.

Action-Not Available
Vendor-flatcoren/a
Product-flatcore-cmsn/a
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2024-0945
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-7.3||HIGH
EPSS-0.62% / 45.76%
||
7 Day CHG~0.00%
Published-26 Jan, 2024 | 20:31
Updated-13 Nov, 2024 | 14:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
60IndexPage Parameter file.php server-side request forgery

A vulnerability classified as critical has been found in 60IndexPage up to 1.8.5. This affects an unknown part of the file /include/file.php of the component Parameter Handler. The manipulation of the argument url leads to server-side request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-252189 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-60indexpage_projectn/a
Product-60indexpage60IndexPage
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2021-39303
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.67% / 74.19%
||
7 Day CHG~0.00%
Published-12 Nov, 2021 | 20:36
Updated-04 Aug, 2024 | 02:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The server in Jamf Pro before 10.32.0 has an SSRF vulnerability, aka PI-006352. NOTE: Jamf Nation will also publish an article about this vulnerability.

Action-Not Available
Vendor-jamfn/a
Product-jamfn/a
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2021-37353
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-2.94% / 85.60%
||
7 Day CHG~0.00%
Published-13 Aug, 2021 | 11:29
Updated-04 Aug, 2024 | 01:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Nagios XI Docker Wizard before version 1.1.3 is vulnerable to SSRF due to improper sanitation in table_population.php.

Action-Not Available
Vendor-n/aNagios Enterprises, LLC
Product-nagios_xi_docker_wizardn/a
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2022-29180
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.9||MEDIUM
EPSS-0.74% / 50.66%
||
7 Day CHG~0.00%
Published-07 May, 2022 | 03:40
Updated-23 Apr, 2025 | 18:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Charm vulnerable to server-side request forgery (SSRF)

A vulnerability in which attackers could forge HTTP requests to manipulate the `charm` data directory to access or delete anything on the server. This has been patched and is available in release [v0.12.1](https://github.com/charmbracelet/charm/releases/tag/v0.12.1). We recommend that all users running self-hosted `charm` instances update immediately. This vulnerability was found in-house and we haven't been notified of any potential exploiters. ### Additional notes * Encrypted user data uploaded to the Charm server is safe as Charm servers cannot decrypt user data. This includes filenames, paths, and all key-value data. * Users running the official Charm [Docker images](https://github.com/charmbracelet/charm/blob/main/docker.md) are at minimal risk because the exploit is limited to the containerized filesystem.

Action-Not Available
Vendor-charmcharmbracelet
Product-charmcharm
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2021-31531
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-2.37% / 81.94%
||
7 Day CHG~0.00%
Published-29 Jun, 2021 | 13:13
Updated-30 May, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Zoho ManageEngine ServiceDesk Plus MSP before 10521 is vulnerable to Server-Side Request Forgery (SSRF).

Action-Not Available
Vendor-n/aZoho Corporation Pvt. Ltd.
Product-manageengine_servicedesk_plus_mspn/a
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2021-27670
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-61.27% / 99.06%
||
7 Day CHG~0.00%
Published-25 Feb, 2021 | 00:01
Updated-03 Aug, 2024 | 21:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Appspace 6.2.4 allows SSRF via the api/v1/core/proxy/jsonprequest url parameter.

Action-Not Available
Vendor-appspacen/a
Product-appspacen/a
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2021-26855
Matching Score-4
Assigner-Microsoft Corporation
ShareView Details
Matching Score-4
Assigner-Microsoft Corporation
CVSS Score-9.1||CRITICAL
EPSS-100.00% / 99.99%
||
7 Day CHG~0.00%
Published-02 Mar, 2021 | 23:55
Updated-30 Oct, 2025 | 19:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2022-05-03||Apply updates per vendor instructions.
Microsoft Exchange Server Remote Code Execution Vulnerability

Microsoft Exchange Server Remote Code Execution Vulnerability

Action-Not Available
Vendor-Microsoft Corporation
Product-exchange_serverMicrosoft Exchange Server 2019 Cumulative Update 2Microsoft Exchange Server 2016 Cumulative Update 18Microsoft Exchange Server 2019 Cumulative Update 6Microsoft Exchange Server 2019 Cumulative Update 8Microsoft Exchange Server 2019 Cumulative Update 5Microsoft Exchange Server 2016 Cumulative Update 16Microsoft Exchange Server 2016 Cumulative Update 19Microsoft Exchange Server 2016 Cumulative Update 12Microsoft Exchange Server 2019 Cumulative Update 7Microsoft Exchange Server 2016 Cumulative Update 15Microsoft Exchange Server 2019Microsoft Exchange Server 2016 Cumulative Update 14Microsoft Exchange Server 2016 Cumulative Update 8Microsoft Exchange Server 2013 Cumulative Update 21Microsoft Exchange Server 2016 Cumulative Update 11Microsoft Exchange Server 2016 Cumulative Update 13Microsoft Exchange Server 2019 Cumulative Update 4Microsoft Exchange Server 2019 Cumulative Update 3Microsoft Exchange Server 2016 Cumulative Update 10Microsoft Exchange Server 2019 Cumulative Update 1Microsoft Exchange Server 2013 Cumulative Update 23Microsoft Exchange Server 2013 Cumulative Update 22Microsoft Exchange Server 2016 Cumulative Update 9Microsoft Exchange Server 2016 Cumulative Update 17Exchange Server
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2018-20596
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.14% / 63.08%
||
7 Day CHG~0.00%
Published-30 Dec, 2018 | 18:00
Updated-05 Aug, 2024 | 12:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jspxcms v9.0.0 allows SSRF.

Action-Not Available
Vendor-jspxcmsn/a
Product-jspxcmsn/a
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2021-24472
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-9.8||CRITICAL
EPSS-56.61% / 98.95%
||
7 Day CHG~0.00%
Published-02 Aug, 2021 | 10:32
Updated-03 Aug, 2024 | 19:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Onair2 < 3.9.9.2 & KenthaRadio < 2.0.2 - Unauthenticated RFI and SSRF

The OnAir2 WordPress theme before 3.9.9.2 and QT KenthaRadio WordPress plugin before 2.0.2 have exposed proxy functionality to unauthenticated users, sending requests to this proxy functionality will have the web server fetch and display the content from any URI, this would allow for SSRF (Server Side Request Forgery) and RFI (Remote File Inclusion) vulnerabilities on the website.

Action-Not Available
Vendor-qantumthemesQantumThemes
Product-kentharadioonair2OnAir2QT KenthaRadio
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
  • Previous
  • 1
  • 2
  • 3
  • 4
  • Next
Details not found