Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-54033

Summary
Assigner-GitHub_M
Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa
Published At-25 Jun, 2026 | 15:50
Updated At-25 Jun, 2026 | 17:43
Rejected At-
Credits

LibreChat: SSRF via User-Provided Custom Endpoint baseURL — no private IP validation on user-configured API base URLs

LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.4-rc1, LibreChat allows users to configure custom OpenAI-compatible API endpoints by setting a baseURL. This URL is used to construct HTTP requests without any SSRF validation — no private IP check, no scheme restriction, no DNS pinning. An authenticated user can set baseURL to internal network addresses. This vulnerability is fixed in 0.8.4-rc1.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:GitHub_M
Assigner Org ID:a0819718-46f1-4df5-94e2-005712e83aaa
Published At:25 Jun, 2026 | 15:50
Updated At:25 Jun, 2026 | 17:43
Rejected At:
▼CVE Numbering Authority (CNA)
LibreChat: SSRF via User-Provided Custom Endpoint baseURL — no private IP validation on user-configured API base URLs

LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.4-rc1, LibreChat allows users to configure custom OpenAI-compatible API endpoints by setting a baseURL. This URL is used to construct HTTP requests without any SSRF validation — no private IP check, no scheme restriction, no DNS pinning. An authenticated user can set baseURL to internal network addresses. This vulnerability is fixed in 0.8.4-rc1.

Affected Products
Vendor
danny-avila
Product
LibreChat
Versions
Affected
  • < 0.8.4-rc1
Problem Types
TypeCWE IDDescription
CWECWE-918CWE-918: Server-Side Request Forgery (SSRF)
Type: CWE
CWE ID: CWE-918
Description: CWE-918: Server-Side Request Forgery (SSRF)
Metrics
VersionBase scoreBase severityVector
3.17.7HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Version: 3.1
Base score: 7.7
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://github.com/danny-avila/LibreChat/security/advisories/GHSA-gc9r-88c3-7qhq
x_refsource_CONFIRM
Hyperlink: https://github.com/danny-avila/LibreChat/security/advisories/GHSA-gc9r-88c3-7qhq
Resource:
x_refsource_CONFIRM
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://github.com/danny-avila/LibreChat/security/advisories/GHSA-gc9r-88c3-7qhq
exploit
Hyperlink: https://github.com/danny-avila/LibreChat/security/advisories/GHSA-gc9r-88c3-7qhq
Resource:
exploit
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security-advisories@github.com
Published At:25 Jun, 2026 | 17:16
Updated At:29 Jun, 2026 | 15:39

LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.4-rc1, LibreChat allows users to configure custom OpenAI-compatible API endpoints by setting a baseURL. This URL is used to construct HTTP requests without any SSRF validation — no private IP check, no scheme restriction, no DNS pinning. An authenticated user can set baseURL to internal network addresses. This vulnerability is fixed in 0.8.4-rc1.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.17.7HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Primary3.16.5MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
N/A
Type: Secondary
Version: 3.1
Base score: 7.7
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Type: Primary
Version: 3.1
Base score: 6.5
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Type: N/A
Version:
Base score:
Base severity: N/A
Vector:
CPE Matches

librechat
librechat
>>librechat>>Versions up to 0.8.3(inclusive)
cpe:2.3:a:librechat:librechat:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-918Secondarysecurity-advisories@github.com
CWE ID: CWE-918
Type: Secondary
Source: security-advisories@github.com
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://github.com/danny-avila/LibreChat/security/advisories/GHSA-gc9r-88c3-7qhqsecurity-advisories@github.com
Exploit
Mitigation
Vendor Advisory
https://github.com/danny-avila/LibreChat/security/advisories/GHSA-gc9r-88c3-7qhq134c704f-9b21-4f2e-91b3-4a467353bcc0
Exploit
Mitigation
Vendor Advisory
Hyperlink: https://github.com/danny-avila/LibreChat/security/advisories/GHSA-gc9r-88c3-7qhq
Source: security-advisories@github.com
Resource:
Exploit
Mitigation
Vendor Advisory
Hyperlink: https://github.com/danny-avila/LibreChat/security/advisories/GHSA-gc9r-88c3-7qhq
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Resource:
Exploit
Mitigation
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

196Records found

CVE-2024-51408
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.5||HIGH
EPSS-0.47% / 37.46%
||
7 Day CHG~0.00%
Published-04 Nov, 2024 | 00:00
Updated-06 Nov, 2024 | 22:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

AppSmith Community 1.8.3 before 1.46 allows SSRF via New DataSource for application/json requests to 169.254.169.254 to retrieve AWS metadata credentials.

Action-Not Available
Vendor-appsmithn/aappsmith
Product-appsmithn/aappsmith
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2026-43573
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-4.9||MEDIUM
EPSS-0.25% / 16.56%
||
7 Day CHG~0.00%
Published-05 May, 2026 | 11:25
Updated-07 May, 2026 | 17:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
OpenClaw < 2026.4.10 - SSRF Policy Bypass in Existing-Session Browser Interaction Routes

OpenClaw before 2026.4.10 contains a server-side request forgery policy bypass vulnerability in existing-session browser interaction routes. Attackers can bypass SSRF navigation guards to interact with or navigate to unauthorized targets without policy enforcement.

Action-Not Available
Vendor-OpenClaw
Product-openclawOpenClaw
CWE ID-CWE-862
Missing Authorization
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2026-43576
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-4.9||MEDIUM
EPSS-0.27% / 17.91%
||
7 Day CHG~0.00%
Published-06 May, 2026 | 19:49
Updated-07 May, 2026 | 17:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
OpenClaw < 2026.4.5 - Second-hop SSRF via CDP /json/version WebSocket URL

OpenClaw before 2026.4.5 contains a server-side request forgery vulnerability in the CDP /json/version WebSocket endpoint that allows attackers to pivot to untrusted second-hop targets. The webSocketDebuggerUrl response field is not properly validated, enabling attackers to redirect connections to arbitrary hosts and perform SSRF-style attacks.

Action-Not Available
Vendor-OpenClaw
Product-openclawOpenClaw
CWE ID-CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2026-43527
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-6.3||MEDIUM
EPSS-0.28% / 19.80%
||
7 Day CHG~0.00%
Published-05 May, 2026 | 11:24
Updated-07 May, 2026 | 13:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
OpenClaw < 2026.4.14 - Server-Side Request Forgery via Private Network Navigation

OpenClaw before 2026.4.14 contains a server-side request forgery vulnerability in browser SSRF policy that allows private-network navigation by default. Attackers can exploit this misconfiguration to access internal services or metadata endpoints through browser-driven requests.

Action-Not Available
Vendor-OpenClaw
Product-openclawOpenClaw
CWE ID-CWE-1188
Initialization of a Resource with an Insecure Default
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2023-6570
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-7.7||HIGH
EPSS-0.60% / 44.64%
||
7 Day CHG~0.00%
Published-14 Dec, 2023 | 12:59
Updated-02 Aug, 2024 | 08:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Server-Side Request Forgery (SSRF) in kubeflow/kubeflow

Server-Side Request Forgery (SSRF) in kubeflow/kubeflow

Action-Not Available
Vendor-kubeflowkubeflow
Product-kubeflowkubeflow/kubeflow
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2023-6199
Matching Score-4
Assigner-Fluid Attacks
ShareView Details
Matching Score-4
Assigner-Fluid Attacks
CVSS Score-6.5||MEDIUM
EPSS-1.38% / 68.81%
||
7 Day CHG~0.00%
Published-20 Nov, 2023 | 22:21
Updated-19 May, 2025 | 14:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Book Stack v23.10.2 - LFR via Blind SSRF

Book Stack version 23.10.2 allows filtering local files on the server. This is possible because the application is vulnerable to SSRF.

Action-Not Available
Vendor-bookstackappBookStack
Product-bookstackBookStack
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2026-42965
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-7.7||HIGH
EPSS-0.23% / 13.28%
||
7 Day CHG+0.02%
Published-29 May, 2026 | 09:50
Updated-30 Jun, 2026 | 12:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Openshift/router: openshift/router: cloud metadata ssrf via fqdn-typed endpointslice bypasses destination validation

A flaw was found in the OpenShift Router. A user with EndpointSlice write access can exploit this vulnerability by creating a Service backed by an FQDN (Fully Qualified Domain Name) EndpointSlice that resolves to a cloud metadata endpoint. This allows the router to proxy requests to the cloud metadata endpoint, leading to the disclosure of instance credentials and other sensitive metadata. This bypasses previous security measures for validating IP addresses.

Action-Not Available
Vendor-Red Hat, Inc.
Product-openshift_container_platformopenshift_routerRed Hat OpenShift Container Platform 4Red Hat OpenShift Container Platform 4
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2026-42398
Matching Score-4
Assigner-Elastic
ShareView Details
Matching Score-4
Assigner-Elastic
CVSS Score-7.7||HIGH
EPSS-0.30% / 21.69%
||
7 Day CHG+0.03%
Published-28 May, 2026 | 19:47
Updated-01 Jun, 2026 | 14:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Server-Side Request Forgery (SSRF) in Kibana Leading to Unauthorized Network Access

Server-Side Request Forgery (CWE-918) in Kibana allows authenticated users with connector management privileges to bypass the operator-configured connection allowlist. By configuring a Webhook connector with a crafted target, an attacker can cause Kibana to issue outbound requests to destinations that the egress restriction controls were intended to block.

Action-Not Available
Vendor-Elasticsearch BV
Product-kibanaKibana
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2023-51676
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.9||MEDIUM
EPSS-0.31% / 22.34%
||
7 Day CHG~0.00%
Published-29 Dec, 2023 | 12:44
Updated-28 Apr, 2026 | 16:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Happy Addons for Elementor Plugin <= 3.9.1.1 is vulnerable to Server Side Request Forgery (SSRF)

Server-Side Request Forgery (SSRF) vulnerability in Leevio Happy Addons for Elementor.This issue affects Happy Addons for Elementor: from n/a through 3.9.1.1.

Action-Not Available
Vendor-LeevioweDevs Pte. Ltd.
Product-happy_addons_for_elementorHappy Addons for Elementor
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2023-32750
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-3.85% / 88.85%
||
7 Day CHG~0.00%
Published-08 Jun, 2023 | 00:00
Updated-06 Jan, 2025 | 21:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Pydio Cells through 4.1.2 allows SSRF. For longer running processes, Pydio Cells allows for the creation of jobs, which are run in the background. The job "remote-download" can be used to cause the backend to send a HTTP GET request to a specified URL and save the response to a new file. The response file is then available in a user-specified folder in Pydio Cells.

Action-Not Available
Vendor-pydion/a
Product-cellsn/a
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2022-45085
Matching Score-4
Assigner-TR-CERT (Computer Emergency Response Team of the Republic of Türkiye)
ShareView Details
Matching Score-4
Assigner-TR-CERT (Computer Emergency Response Team of the Republic of Türkiye)
CVSS Score-6.5||MEDIUM
EPSS-0.55% / 42.08%
||
7 Day CHG~0.00%
Published-08 Feb, 2023 | 14:48
Updated-18 May, 2026 | 16:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Server-Side Request Forgery in Smartpower Web

Server-Side Request Forgery (SSRF) vulnerability in Group Arge Energy and Control Systems Smartpower Web allows : Server Side Request Forgery. This issue affects Smartpower Web: before 23.01.01.

Action-Not Available
Vendor-grupargeGroup Arge Energy and Control Systems
Product-smartpower_webSmartpower Web
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2026-42345
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.7||HIGH
EPSS-0.21% / 11.59%
||
7 Day CHG~0.00%
Published-08 May, 2026 | 22:11
Updated-13 May, 2026 | 17:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
FastGPT: Cloud metadata endpoint SSRF protection bypass via port specification, IPv6 mapping, hex/decimal IP encoding, and trailing dot

FastGPT is an AI Agent building platform. In versions 4.14.11 and prior, FastGPT's isInternalAddress() function in packages/service/common/system/utils.ts blocks cloud metadata endpoints using a fullUrl.startsWith() check against a hardcoded list. This check can be bypassed using at least 7 different URL encoding techniques, all of which resolve to the same cloud metadata service but do not match the blocklist patterns. Additionally, the broader private IP check (isInternalIPv4/isInternalIPv6) is disabled by default because CHECK_INTERNAL_IP defaults to false (not 'true'), so these bypasses reach the metadata endpoint without any further validation. At time of publication, there are no publicly available patches.

Action-Not Available
Vendor-Labring Computing Co., LTD.
Product-FastGPT
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2026-41688
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.7||HIGH
EPSS-0.23% / 13.33%
||
7 Day CHG~0.00%
Published-07 May, 2026 | 13:52
Updated-07 May, 2026 | 15:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Incomplete fix for CVE-2026-33399: SSRF in Wallos

Wallos is an open-source, self-hostable personal subscription tracker. In versions 4.8.4 and prior, the incomplete SSRF fix in Wallos validates webhook URLs via gethostbyname() but passes the original hostname to cURL without CURLOPT_RESOLVE pinning on 10 of 11 outbound HTTP endpoints, leaving a DNS rebinding TOCTOU window. At time of publication, there are no publicly available patches.

Action-Not Available
Vendor-ellite
Product-Wallos
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2026-41413
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5||MEDIUM
EPSS-0.33% / 24.76%
||
7 Day CHG~0.00%
Published-07 May, 2026 | 04:18
Updated-08 May, 2026 | 17:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Istio Vulnerable to SSRF via RequestAuthentication jwksUri

Istio is an open platform to connect, manage, and secure microservices. Prior to versions 1.28.6 and 1.29.2, when a RequestAuthentication resource is created with a jwksUri pointing to an internal service, istiod makes an unauthenticated HTTP GET request to that URL without filtering out localhost or link local ips. This can result in sensitive data being distributed to Envoy proxies via xDS configuration. This issue has been patched in versions 1.28.6 and 1.29.2.

Action-Not Available
Vendor-istioistio
Product-istioistio
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2022-43776
Matching Score-4
Assigner-Tenable Network Security, Inc.
ShareView Details
Matching Score-4
Assigner-Tenable Network Security, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.66% / 46.90%
||
7 Day CHG~0.00%
Published-26 Oct, 2022 | 00:00
Updated-07 May, 2025 | 14:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The url parameter of the /api/geojson endpoint in Metabase versions <44.5 can be used to perform Server Side Request Forgery attacks. Previously implemented blacklists could be circumvented by leveraging 301 and 302 redirects.

Action-Not Available
Vendor-metabasen/a
Product-metabaseMetabase
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2023-48204
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.65% / 46.80%
||
7 Day CHG~0.00%
Published-15 Nov, 2023 | 00:00
Updated-29 Aug, 2024 | 15:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue in PublicCMS v.4.0.202302.e allows a remote attacker to obtain sensitive information via the appToken and Parameters parameter of the api/method/getHtml component.

Action-Not Available
Vendor-publiccmsn/a
Product-publiccmsn/a
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2026-41905
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.7||HIGH
EPSS-0.21% / 11.04%
||
7 Day CHG~0.00%
Published-07 May, 2026 | 18:08
Updated-07 May, 2026 | 21:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
FreeScout vulnerable to SSRF via Helper::sanitizeRemoteUrl: redirect destination not re-validated, allowing internal HTTP / cloud-metadata access

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.217, Helper::sanitizeRemoteUrl() in app/Misc/Helper.php follows HTTP redirects via curlGetLastRedirectedUrl() but then re-validates the original URL instead of the final redirect destination. An attacker who can supply any URL that passes the initial host check can redirect FreeScout to internal HTTP services (cloud metadata, internal APIs, RFC1918 ranges) that would normally be blocked. This issue has been patched in version 1.8.217.

Action-Not Available
Vendor-freescout-help-desk
Product-freescout
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2026-42181
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.21% / 11.04%
||
7 Day CHG~0.00%
Published-08 May, 2026 | 19:26
Updated-12 May, 2026 | 15:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Lemmy: SSRF and internal image disclosure in post link metadata via unvalidated og:image

Lemmy is a link aggregator and forum for the fediverse. Prior to version 0.19.18, Lemmy fetches metadata for user-supplied post URLs and, under the default StoreLinkPreviews image mode, downloads the preview image through local pict-rs. While the top-level page URL is checked against internal IP ranges, the extracted og:image URL is not subject to the same restriction. As a result, an authenticated low-privileged user can submit an attacker-controlled public page whose Open Graph image points to an internal image endpoint. Lemmy will fetch that internal image server-side and store a local thumbnail that can then be served back to users. This issue has been patched in version 0.19.18.

Action-Not Available
Vendor-LemmyNet
Product-lemmy
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2023-46736
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.36% / 27.82%
||
7 Day CHG~0.00%
Published-05 Dec, 2023 | 20:55
Updated-02 Aug, 2024 | 20:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Server-Side Request Forgery in espocrm

EspoCRM is an Open Source CRM (Customer Relationship Management) software. In affected versions there is Server-Side Request Forgery (SSRF) vulnerability via the upload image from url api. Users who have access to `the /Attachment/fromImageUrl` endpoint can specify URL to point to an internal host. Even though there is check for content type, it can be bypassed by redirects in some cases. This SSRF can be leveraged to disclose internal information (in some cases), target internal hosts and bypass firewalls. This vulnerability has been addressed in commit `c536cee63` which is included in release version 8.0.5. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Action-Not Available
Vendor-espocrmespocrm
Product-espocrmespocrm
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2020-15809
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.94% / 56.55%
||
7 Day CHG~0.00%
Published-24 Mar, 2021 | 16:54
Updated-04 Aug, 2024 | 13:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

spxmanage on certain SpinetiX devices allows requests that access unintended resources because of SSRF and Path Traversal. This affects HMP350, HMP300, and DiVA through 4.5.2-1.0.36229; HMP400 and HMP400W through 4.5.2-1.0.2-1eb2ffbd; and DSOS through 4.5.2-1.0.2-1eb2ffbd.

Action-Not Available
Vendor-spinetixn/a
Product-hmp400_firmwarehmp350_firmwarehmp400whmp400hmp300hmp400w_firmwarehmp350divadsoshmp300_firmwarediva_firmwaren/a
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2024-48944
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-6.5||MEDIUM
EPSS-0.58% / 43.30%
||
7 Day CHG+0.04%
Published-27 Mar, 2025 | 15:05
Updated-08 May, 2025 | 10:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache Kylin: SSRF vulnerability in the diagnosis api

Server-Side Request Forgery (SSRF) vulnerability in Apache Kylin. Through a kylin server, an attacker may forge a request to invoke "/kylin/api/xxx/diag" api on another internal host and possibly get leaked information. There are two preconditions: 1) The attacker has got admin access to a kylin server; 2) Another internal host has the "/kylin/api/xxx/diag" api endpoint open for service. This issue affects Apache Kylin: from 5.0.0 through 5.0.1. Users are recommended to upgrade to version 5.0.2, which fixes the issue.

Action-Not Available
Vendor-The Apache Software Foundation
Product-kylinApache Kylin
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2026-41060
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.7||HIGH
EPSS-0.30% / 21.71%
||
7 Day CHG~0.00%
Published-21 Apr, 2026 | 22:44
Updated-24 Apr, 2026 | 15:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
AVideo's SSRF via same-domain hostname with alternate port bypasses isSSRFSafeURL

WWBN AVideo is an open source video platform. In versions 29.0 and below, the `isSSRFSafeURL()` function in `objects/functions.php` contains a same-domain shortcircuit (lines 4290-4296) that allows any URL whose hostname matches `webSiteRootURL` to bypass all SSRF protections. Because the check compares only the hostname and ignores the port, an attacker can reach arbitrary ports on the AVideo server by using the site's public hostname with a non-standard port. The response body is saved to a web-accessible path, enabling full exfiltration. Commit a0156a6398362086390d949190f9d52a823000ba fixes the issue.

Action-Not Available
Vendor-wwbnWWBN
Product-avideoAVideo
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2023-44256
Matching Score-4
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-4
Assigner-Fortinet, Inc.
CVSS Score-6.4||MEDIUM
EPSS-1.22% / 65.03%
||
7 Day CHG~0.00%
Published-20 Oct, 2023 | 09:04
Updated-12 Sep, 2024 | 14:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A server-side request forgery vulnerability [CWE-918] in Fortinet FortiAnalyzer version 7.4.0, version 7.2.0 through 7.2.3 and before 7.0.8 and FortiManager version 7.4.0, version 7.2.0 through 7.2.3 and before 7.0.8 allows a remote attacker with low privileges to view sensitive data from internal servers or perform a local port scan via a crafted HTTP request.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortianalyzerfortimanagerFortiManagerFortiAnalyzerfortianalyzerfortimanager
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2026-39843
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.7||HIGH
EPSS-0.25% / 15.69%
||
7 Day CHG~0.00%
Published-09 Apr, 2026 | 15:43
Updated-17 Apr, 2026 | 20:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Plane has a Server-Side Request Forgery (SSRF) in Favicon Fetching

Plane is an an open-source project management tool. From 0.28.0 to before 1.3.0, the remediation of GHSA-jcc6-f9v6-f7jw is incomplete which could lead to the same full read Server-Side Request Forgery when a normal html page contains a link tag with an href that redirects to a private IP address is supplied to Add link by an authenticated attacker with low privileges. Redirects for the main page URL are validated, but not the favicon fetch path. fetch_and_encode_favicon() still uses requests.get(favicon_url, ...) with the default redirect-following. This vulnerability is fixed in 1.3.0.

Action-Not Available
Vendor-planemakeplane
Product-planeplane
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2023-41239
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-6.4||MEDIUM
EPSS-0.38% / 30.05%
||
7 Day CHG~0.00%
Published-13 Nov, 2023 | 02:42
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress PowerPress Podcasting Plugin <= 11.0.6 is vulnerable to Server Side Request Forgery (SSRF)

Server-Side Request Forgery (SSRF) vulnerability in Blubrry PowerPress Podcasting plugin by Blubrry.This issue affects PowerPress Podcasting plugin by Blubrry: from n/a through 11.0.6.

Action-Not Available
Vendor-blubrryBlubrry
Product-powerpressPowerPress Podcasting plugin by Blubrry
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2026-40564
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-6.5||MEDIUM
EPSS-0.49% / 38.59%
||
7 Day CHG~0.00%
Published-26 May, 2026 | 14:38
Updated-02 Jun, 2026 | 16:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache Flink Kubernetes Operator: Server-Side Request Forgery and local file access in Kubernetes Operator

Files or Directories Accessible to External Parties, Server-Side Request Forgery (SSRF) vulnerability in Apache Flink Kubernetes Operator. The FlinkSessionJob jarURI is currently not validated so that it points to user-owned files or addresses.  This lets a user with CR create permissions read files from the operator pod's filesystem and pull content from any backing store reachable through Flink's pluggable filesystem layer and access them through the submitted Flink job. Furthermore for fetching from http/https addresses there is currently no allowlist on the URI scheme, no host check, no IP-range restriction, and no protection against pointing the URI at internal or link-local addresses.This issue affects Apache Flink Kubernetes Operator: from 1.3.0 before 1.15.0. Users are recommended to upgrade to version 1.15.0, which fixes the issue.

Action-Not Available
Vendor-The Apache Software Foundation
Product-flink_kubernetes_operatorApache Flink Kubernetes Operator
CWE ID-CWE-552
Files or Directories Accessible to External Parties
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2023-39854
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.43% / 34.33%
||
7 Day CHG~0.00%
Published-09 Oct, 2023 | 00:00
Updated-19 Sep, 2024 | 15:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The web interface of ATX Ucrypt through 3.5 allows authenticated users (or attackers using default credentials for the admin, master, or user account) to include files via a URL in the /hydra/view/get_cc_url url parameter. There can be resultant SSRF.

Action-Not Available
Vendor-atxn/a
Product-ucryptn/a
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2024-45290
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.7||HIGH
EPSS-0.58% / 43.44%
||
7 Day CHG~0.00%
Published-07 Oct, 2024 | 20:12
Updated-16 Oct, 2024 | 19:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Path traversal and Server-Side Request Forgery when opening XLSX files in PHPSpreadsheet

PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. It's possible for an attacker to construct an XLSX file which links media from external URLs. When opening the XLSX file, PhpSpreadsheet retrieves the image size and type by reading the file contents, if the provided path is a URL. By using specially crafted `php://filter` URLs an attacker can leak the contents of any file or URL. Note that this vulnerability is different from GHSA-w9xv-qf98-ccq4, and resides in a different component. An attacker can access any file on the server, or leak information form arbitrary URLs, potentially exposing sensitive information such as AWS IAM credentials. This issue has been addressed in release versions 1.29.2, 2.1.1, and 2.3.0. All users are advised to upgrade. There are no known workarounds for this vulnerability.

Action-Not Available
Vendor-PHPOffice
Product-phpspreadsheetPhpSpreadsheetphpspreadsheet
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CWE ID-CWE-36
Absolute Path Traversal
CVE-2023-39313
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.7||HIGH
EPSS-0.46% / 36.80%
||
7 Day CHG~0.00%
Published-28 Mar, 2024 | 05:56
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Avada theme <= 7.11.1 - Authenticated Server Side Request Forgery (SSRF) vulnerability

Server-Side Request Forgery (SSRF) vulnerability in ThemeFusion Avada.This issue affects Avada: from n/a through 7.11.1.

Action-Not Available
Vendor-Avada (ThemeFusion)
Product-avadaAvada
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2026-40348
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.7||HIGH
EPSS-0.38% / 29.91%
||
7 Day CHG~0.00%
Published-18 Apr, 2026 | 00:01
Updated-27 Apr, 2026 | 14:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Movary has Authenticated SSRF via Jellyfin Server URL Verification that Allows Internal Network Probing

Movary is a self hosted web app to track and rate a user's watched movies. Prior to version 0.71.1, an ordinary authenticated user can trigger server-side requests to arbitrary internal targets through `POST /settings/jellyfin/server-url-verify`. The endpoint accepts a user-controlled URL, appends `/system/info/public`, and sends a server-side HTTP request with Guzzle. Because there is no restriction on internal hosts, loopback addresses, or private network ranges, this can be abused for SSRF and internal network probing. Any ordinary authenticated user can use this endpoint to make the server connect to arbitrary internal targets and distinguish between different network states. This enables SSRF-based internal reconnaissance, including host discovery, port-state probing, and service fingerprinting. In certain deployments, it may also be usable to reach internal administrative services or cloud metadata endpoints that are not directly accessible from the outside. Version 0.71.1 fixes the issue.

Action-Not Available
Vendor-leepeukerleepeuker
Product-movarymovary
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2026-40346
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-6.4||MEDIUM
EPSS-0.38% / 30.38%
||
7 Day CHG~0.00%
Published-17 Apr, 2026 | 23:54
Updated-13 May, 2026 | 20:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
NocoBase has SSRF in Workflow HTTP Request and Custom Request Plugins

NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.37, NocoBase's workflow HTTP request plugin and custom request action plugin make server-side HTTP requests to user-provided URLs without any SSRF protection. An authenticated user can access internal network services, cloud metadata endpoints, and localhost. Version 2.0.37 contains a patch.

Action-Not Available
Vendor-nocobasenocobase
Product-nocobase@nocobase/plugin-workflow-request
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2023-36679
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.1||HIGH
EPSS-0.33% / 24.93%
||
7 Day CHG~0.00%
Published-28 Mar, 2024 | 05:58
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Spectra plugin <= 2.6.6 - Server Side Request Forgery (SSRF) vulnerability

Server-Side Request Forgery (SSRF) vulnerability in Brainstorm Force Spectra.This issue affects Spectra: from n/a through 2.6.6.

Action-Not Available
Vendor-Brainstorm Force
Product-spectraSpectra
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2024-5526
Matching Score-4
Assigner-Grafana Labs
ShareView Details
Matching Score-4
Assigner-Grafana Labs
CVSS Score-7.7||HIGH
EPSS-0.40% / 32.15%
||
7 Day CHG~0.00%
Published-05 Jun, 2024 | 11:21
Updated-01 Aug, 2024 | 21:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Grafana OnCall is an easy-to-use on-call management tool that will help reduce toil in on-call management through simpler workflows and interfaces that are tailored specifically for engineers. Grafana OnCall, from version 1.1.37 before 1.5.2 are vulnerable to a Server Side Request Forgery (SSRF) vulnerability in the webhook functionallity. This issue was fixed in version 1.5.2

Action-Not Available
Vendor-Grafana Labs
Product-oncallOnCalloncall
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2026-36759
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.21% / 11.04%
||
7 Day CHG~0.00%
Published-30 Apr, 2026 | 00:00
Updated-30 Apr, 2026 | 18:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A Server-Side Request Forgery (SSRF) in the /themes/{name}/upgrade-from-uri endpoint of halo v2.22.14 allows authenticated attackers to scan internal resources via a crafted GET request.

Action-Not Available
Vendor-n/a
Product-n/a
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2026-39368
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.21% / 11.17%
||
7 Day CHG~0.00%
Published-07 Apr, 2026 | 19:23
Updated-22 Apr, 2026 | 18:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WWBN AVideo has a Live restream log callback flow enabling stored SSRF to internal services

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the Live restream log callback flow accepted an attacker-controlled restreamerURL and later fetched that stored URL server-side, enabling stored SSRF for authenticated streamers. The vulnerable flow allowed a low-privilege user with streaming permission to store an arbitrary callback URL and trigger server-side requests to loopback or internal HTTP services through the restream log feature.

Action-Not Available
Vendor-wwbnWWBN
Product-avideoAVideo
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2026-39361
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.7||HIGH
EPSS-0.27% / 17.89%
||
7 Day CHG~0.00%
Published-07 Apr, 2026 | 19:02
Updated-14 Apr, 2026 | 20:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
OpenObserve has a SSRF Protection Bypass via IPv6 Bracket Notation in validate_enrichment_url

OpenObserve is a cloud-native observability platform. In 0.70.3 and earlier, the validate_enrichment_url function in src/handler/http/request/enrichment_table/mod.rs fails to block IPv6 addresses because Rust's url crate returns them with surrounding brackets (e.g. "[::1]" not "::1"). An authenticated attacker can reach internal services blocked from external access. On cloud deployments this enables retrieval of IAM credentials via AWS IMDSv1 (169.254.169.254), GCP metadata, or Azure IMDS. On self-hosted deployments it allows probing internal network services.

Action-Not Available
Vendor-openobserveopenobserve
Product-openobserveopenobserve
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2026-34746
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.7||HIGH
EPSS-0.30% / 21.34%
||
7 Day CHG~0.00%
Published-01 Apr, 2026 | 19:43
Updated-13 Apr, 2026 | 18:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Payload has Authenticated SSRF via Upload Functionality

Payload is a free and open source headless content management system. Prior to version 3.79.1, an authenticated Server-Side Request Forgery (SSRF) vulnerability exists in the upload functionality. Authenticated users with create or update access to an upload-enabled collection could cause the server to make outbound HTTP requests to arbitrary URLs. This issue has been patched in version 3.79.1.

Action-Not Available
Vendor-payloadcmspayloadcms
Product-payloadpayload
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2026-34740
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.32% / 24.13%
||
7 Day CHG~0.00%
Published-31 Mar, 2026 | 20:57
Updated-01 Apr, 2026 | 18:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
AVideo: Stored SSRF via Video EPG Link Missing isSSRFSafeURL() Validation

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the EPG (Electronic Program Guide) link feature in AVideo allows authenticated users with upload permissions to store arbitrary URLs that the server fetches on every EPG page visit. The URL is validated only with PHP's FILTER_VALIDATE_URL, which accepts internal network addresses. Although AVideo has a dedicated isSSRFSafeURL() function for preventing SSRF, it is not called in this code path. This results in a stored server-side request forgery vulnerability that can be used to scan internal networks, access cloud metadata services, and interact with internal services. At time of publication, there are no publicly available patches.

Action-Not Available
Vendor-wwbnWWBN
Product-avideoAVideo
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2026-34936
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.7||HIGH
EPSS-0.34% / 25.60%
||
7 Day CHG~0.00%
Published-03 Apr, 2026 | 22:50
Updated-14 Apr, 2026 | 18:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
PraisonAI: SSRF via Unvalidated api_base in passthrough() Fallback

PraisonAI is a multi-agent teams system. Prior to version 4.5.90, passthrough() and apassthrough() in praisonai accept a caller-controlled api_base parameter that is concatenated with endpoint and passed directly to httpx.Client.request() when the litellm primary path raises AttributeError. No URL scheme validation, private IP filtering, or domain allowlist is applied, allowing requests to any host reachable from the server. This issue has been patched in version 4.5.90.

Action-Not Available
Vendor-praisonMervinPraison
Product-praisonaiPraisonAI
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2026-35187
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.7||HIGH
EPSS-0.27% / 18.49%
||
7 Day CHG~0.00%
Published-06 Apr, 2026 | 19:33
Updated-20 Apr, 2026 | 17:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
pyLoad has SSRF in parse_urls API endpoint via unvalidated URL parameter

pyLoad is a free and open-source download manager written in Python. In 0.5.0b3.dev96 and earlier, the parse_urls API function in src/pyload/core/api/__init__.py fetches arbitrary URLs server-side via get_url(url) (pycurl) without any URL validation, protocol restriction, or IP blacklist. An authenticated user with ADD permission can make HTTP/HTTPS requests to internal network resources and cloud metadata endpoints, read local files via file:// protocol (pycurl reads the file server-side), interact with internal services via gopher:// and dict:// protocols, and enumerate file existence via error-based oracle (error 37 vs empty response).

Action-Not Available
Vendor-pyload-ng_projectpyload
Product-pyload-ngpyload
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2022-42343
Matching Score-4
Assigner-Adobe Systems Incorporated
ShareView Details
Matching Score-4
Assigner-Adobe Systems Incorporated
CVSS Score-6.5||MEDIUM
EPSS-1.36% / 68.43%
||
7 Day CHG~0.00%
Published-19 Dec, 2022 | 10:00
Updated-23 Apr, 2025 | 16:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Adobe Campaign Classic Server-Side Request Forgery Arbitrary file system read

Adobe Campaign version 7.3.1 (and earlier) and 8.3.9 (and earlier) are affected by a Server-Side Request Forgery (SSRF) vulnerability that could lead to arbitrary file system read. A low-privilege authenticated attacker can force the application to make arbitrary requests via injection of arbitrary URLs. Exploitation of this issue does not require user interaction.

Action-Not Available
Vendor-Adobe Inc.Linux Kernel Organization, IncMicrosoft Corporation
Product-windowscampaignlinux_kernelAdobe Campaign Classic (ACC)
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2026-35409
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.7||HIGH
EPSS-0.34% / 25.56%
||
7 Day CHG~0.00%
Published-06 Apr, 2026 | 21:31
Updated-20 Apr, 2026 | 16:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Directus has a SSRF Protection Bypass via IPv4-Mapped IPv6 Addresses in File Import

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.0, a Server-Side Request Forgery (SSRF) protection bypass has been identified and fixed in Directus. The IP address validation mechanism used to block requests to local and private networks could be circumvented using IPv4-Mapped IPv6 address notation. This vulnerability is fixed in 11.16.0.

Action-Not Available
Vendor-monospacedirectus
Product-directusdirectus
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2026-33992
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-9.3||CRITICAL
EPSS-0.40% / 31.71%
||
7 Day CHG~0.00%
Published-27 Mar, 2026 | 22:12
Updated-31 Mar, 2026 | 14:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
pyLoad: Server-Side Request Forgery via Download Link Submission Enables Cloud Metadata Exfiltration

pyLoad is a free and open-source download manager written in Python. Prior to version 0.5.0b3.dev97, PyLoad's download engine accepts arbitrary URLs without validation, enabling Server-Side Request Forgery (SSRF) attacks. An authenticated attacker can exploit this to access internal network services and exfiltrate cloud provider metadata. On DigitalOcean droplets, this exposes sensitive infrastructure data including droplet ID, network configuration, region, authentication keys, and SSH keys configured in user-data/cloud-init. Version 0.5.0b3.dev97 contains a patch.

Action-Not Available
Vendor-pyloadpyload
Product-pyloadpyload
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2026-33486
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-6.8||MEDIUM
EPSS-0.38% / 30.24%
||
7 Day CHG~0.00%
Published-26 Mar, 2026 | 17:15
Updated-31 Mar, 2026 | 21:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Roadiz has Server-Side Request Forgery (SSRF) in roadiz/documents

Roadiz is a polymorphic content management system based on a node system that can handle many types of services. A vulnerability in roadiz/documents prior to versions 2.7.9, 2.6.28, 2.5.44, and 2.3.42 allows an authenticated attacker to read any file on the server's local file system that the web server process has access to, including highly sensitive environment variables, database credentials, and internal configuration files. Versions 2.7.9, 2.6.28, 2.5.44, and 2.3.42 contain a patch.

Action-Not Available
Vendor-roadizroadiz
Product-core-bundle-dev-appcore-bundle-dev-app
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2026-34428
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-8.3||HIGH
EPSS-0.26% / 16.93%
||
7 Day CHG~0.00%
Published-20 Apr, 2026 | 13:55
Updated-08 May, 2026 | 13:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Vvveb < 1.0.8.1 SSRF via oEmbedProxy

Vvveb prior to 1.0.8.1 contains a server-side request forgery vulnerability in the oEmbedProxy action of the editor/editor module where the url parameter is passed directly to getUrl() via curl without scheme or destination validation. Authenticated backend users can supply file:// URLs to read arbitrary files readable by the web server process or http:// URLs targeting internal network addresses to probe internal services, with response bodies returned directly to the caller.

Action-Not Available
Vendor-givanz
Product-Vvveb
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2023-30444
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-7.1||HIGH
EPSS-0.40% / 32.38%
||
7 Day CHG~0.00%
Published-27 Apr, 2023 | 12:52
Updated-30 Jan, 2025 | 20:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM Watson Machine Learning on Cloud Pak for Data server-side request forgery

IBM Watson Machine Learning on Cloud Pak for Data 4.0 and 4.5 is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. IBM X-Force ID: 253350.

Action-Not Available
Vendor-IBM Corporation
Product-watson_machine_learning_on_cloud_pak_for_dataWatson Machine Learning on Cloud Pak for Data
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2026-34576
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.3||HIGH
EPSS-0.27% / 18.33%
||
7 Day CHG~0.00%
Published-02 Apr, 2026 | 17:23
Updated-07 Apr, 2026 | 21:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Postiz: SSRF in upload-from-url endpoint allows fetching internal resources and cloud metadata

Postiz is an AI social media scheduling tool. Prior to version 2.21.3, the POST /public/v1/upload-from-url endpoint accepts a user-supplied URL and fetches it server-side using axios.get() with no SSRF protections. The only validation is a file extension check (.png, .jpg, etc.) which is trivially bypassed by appending an image extension to any URL path. An authenticated API user can fetch internal network resources, cloud instance metadata, and other internal services, with the response data uploaded to storage and returned to the attacker. This issue has been patched in version 2.21.3.

Action-Not Available
Vendor-gitroomgitroomhq
Product-postizpostiz-app
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2026-33458
Matching Score-4
Assigner-Elastic
ShareView Details
Matching Score-4
Assigner-Elastic
CVSS Score-6.8||MEDIUM
EPSS-0.23% / 13.27%
||
7 Day CHG~0.00%
Published-08 Apr, 2026 | 16:47
Updated-13 Apr, 2026 | 11:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Server-Side Request Forgery (SSRF) in Kibana One Workflow Leading to Information Disclosure

Server-Side Request Forgery (CWE-918) in Kibana One Workflow can lead to information disclosure. An authenticated user with workflow creation and execution privileges can bypass host allowlist restrictions in the Workflows Execution Engine, potentially exposing sensitive internal endpoints and data.

Action-Not Available
Vendor-Elasticsearch BV
Product-kibanaKibana
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2019-6257
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.7||HIGH
EPSS-1.10% / 61.61%
||
7 Day CHG~0.00%
Published-14 Jan, 2019 | 07:00
Updated-16 Sep, 2024 | 16:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A Server Side Request Forgery (SSRF) vulnerability in elFinder before 2.1.46 could allow a malicious user to access the content of internal network resources. This occurs in get_remote_contents() in php/elFinder.class.php.

Action-Not Available
Vendor-std42n/a
Product-elfindern/a
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2026-33399
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.7||HIGH
EPSS-0.28% / 20.03%
||
7 Day CHG~0.00%
Published-24 Mar, 2026 | 17:43
Updated-26 Mar, 2026 | 20:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Wallos: SSRF Bypass - Incomplete Fix for CVE-2026-30839/30840

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, the SSRF fix applied in version 4.6.2 for CVE-2026-30839 and CVE-2026-30840 is incomplete. The validate_webhook_url_for_ssrf() protection was added to the test* notification endpoints but not to the corresponding save* endpoints. An authenticated user can save an internal/private IP address as a notification URL, and when the cron job sendnotifications.php executes, the request is sent to the internal IP without any SSRF validation. This issue has been patched in version 4.7.0.

Action-Not Available
Vendor-wallosappellite
Product-wallosWallos
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
  • Previous
  • 1
  • 2
  • 3
  • 4
  • Next
Details not found