Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-54401

Summary
Assigner-hackerone
Assigner Org ID-36234546-b8fa-4601-9d6f-f4e334aa8ea1
Published At-02 Jul, 2026 | 14:49
Updated At-02 Jul, 2026 | 15:51
Rejected At-
Credits

A malicious actor with access to the network and low privileges could exploit a Server-Side Request Forgery (SSRF) to escalate privileges within such UniFi OS devices or instances.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
â–¼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:hackerone
Assigner Org ID:36234546-b8fa-4601-9d6f-f4e334aa8ea1
Published At:02 Jul, 2026 | 14:49
Updated At:02 Jul, 2026 | 15:51
Rejected At:
â–¼CVE Numbering Authority (CNA)

A malicious actor with access to the network and low privileges could exploit a Server-Side Request Forgery (SSRF) to escalate privileges within such UniFi OS devices or instances.

Affected Products
Vendor
Ubiquiti Inc.Ubiquiti Inc
Product
UniFi OS Server
Default Status
unaffected
Versions
Affected
  • From 0 before 5.1.19 (semver)
Vendor
Ubiquiti Inc.Ubiquiti Inc
Product
Dream Machines
Default Status
unaffected
Versions
Affected
  • From 0 before 5.1.19 (semver)
Vendor
Ubiquiti Inc.Ubiquiti Inc
Product
Enterprise Fortress Gateway
Default Status
unaffected
Versions
Affected
  • From 0 before 5.1.19 (semver)
Vendor
Ubiquiti Inc.Ubiquiti Inc
Product
Dream Wall
Default Status
unaffected
Versions
Affected
  • From 0 before 5.1.19 (semver)
Vendor
Ubiquiti Inc.Ubiquiti Inc
Product
Dream Routers
Default Status
unaffected
Versions
Affected
  • From 0 before 5.1.19 (semver)
Vendor
Ubiquiti Inc.Ubiquiti Inc
Product
Express 7
Default Status
unaffected
Versions
Affected
  • From 0 before 5.1.19 (semver)
Vendor
Ubiquiti Inc.Ubiquiti Inc
Product
Cloud Keys
Default Status
unaffected
Versions
Affected
  • From 0 before 5.1.19 (semver)
Vendor
Ubiquiti Inc.Ubiquiti Inc
Product
Network Video Recorders
Default Status
unaffected
Versions
Affected
  • From 0 before 5.1.19 (semver)
Vendor
Ubiquiti Inc.Ubiquiti Inc
Product
Enterprise Video Recorders
Default Status
unaffected
Versions
Affected
  • From 0 before 5.1.19 (semver)
Vendor
Ubiquiti Inc.Ubiquiti Inc
Product
Cloud Gateways
Default Status
unaffected
Versions
Affected
  • From 0 before 5.1.19 (semver)
Vendor
Ubiquiti Inc.Ubiquiti Inc
Product
Network Attached Storage
Default Status
unaffected
Versions
Affected
  • From 0 before 5.1.19 (semver)
Vendor
Ubiquiti Inc.Ubiquiti Inc
Product
Enterprise Firewall Core
Default Status
unaffected
Versions
Affected
  • From 0 before 5.1.19 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-918CWE-918 Server-Side Request Forgery (SSRF)
Type: CWE
CWE ID: CWE-918
Description: CWE-918 Server-Side Request Forgery (SSRF)
Metrics
VersionBase scoreBase severityVector
3.17.7HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Version: 3.1
Base score: 7.7
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://community.ui.com/releases/Security-Advisory-Bulletin-066-066/984eceb3-49c8-4227-942d-671c289b3afc
N/A
Hyperlink: https://community.ui.com/releases/Security-Advisory-Bulletin-066-066/984eceb3-49c8-4227-942d-671c289b3afc
Resource: N/A
â–¼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
Information is not available yet
â–¼National Vulnerability Database (NVD)
nvd.nist.gov
Source:support@hackerone.com
Published At:02 Jul, 2026 | 15:17
Updated At:02 Jul, 2026 | 16:54

A malicious actor with access to the network and low privileges could exploit a Server-Side Request Forgery (SSRF) to escalate privileges within such UniFi OS devices or instances.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.17.7HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
N/A
Type: Secondary
Version: 3.1
Base score: 7.7
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Type: N/A
Version:
Base score:
Base severity: N/A
Vector:
CPE Matches

Weaknesses
CWE IDTypeSource
CWE-918Secondarysupport@hackerone.com
CWE ID: CWE-918
Type: Secondary
Source: support@hackerone.com
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://community.ui.com/releases/Security-Advisory-Bulletin-066-066/984eceb3-49c8-4227-942d-671c289b3afcsupport@hackerone.com
N/A
Hyperlink: https://community.ui.com/releases/Security-Advisory-Bulletin-066-066/984eceb3-49c8-4227-942d-671c289b3afc
Source: support@hackerone.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

88Records found

CVE-2026-31941
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.7||HIGH
EPSS-0.23% / 13.81%
||
7 Day CHG~0.00%
Published-10 Apr, 2026 | 17:37
Updated-17 Apr, 2026 | 21:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Server-Side Request Forgery (SSRF) in Chamilo LMS

Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, Chamilo LMS contains a Server-Side Request Forgery (SSRF) vulnerability in the Social Wall feature. The endpoint read_url_with_open_graph accepts a URL from the user via the social_wall_new_msg_main POST parameter and performs two server-side HTTP requests to that URL without validating whether the target is an internal or external resource. This allows an authenticated attacker to force the server to make arbitrary HTTP requests to internal services, scan internal ports, and access cloud instance metadata. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.

Action-Not Available
Vendor-chamilochamilo
Product-chamilo_lmschamilo-lms
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2021-33184
Matching Score-4
Assigner-Synology Inc.
ShareView Details
Matching Score-4
Assigner-Synology Inc.
CVSS Score-7.7||HIGH
EPSS-1.00% / 58.55%
||
7 Day CHG~0.00%
Published-01 Jun, 2021 | 09:50
Updated-17 Sep, 2024 | 04:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Server-Side request forgery (SSRF) vulnerability in task management component in Synology Download Station before 3.8.15-3563 allows remote authenticated users to read arbitrary files via unspecified vectors.

Action-Not Available
Vendor-Synology, Inc.
Product-download_stationSynology Download Station
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2021-29431
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.7||HIGH
EPSS-1.19% / 64.27%
||
7 Day CHG~0.00%
Published-15 Apr, 2021 | 21:00
Updated-03 Aug, 2024 | 22:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SSRF in Sydent due to missing validation of hostnames

Sydent is a reference Matrix identity server. Sydent can be induced to send HTTP GET requests to internal systems, due to lack of parameter validation or IP address blacklisting. It is not possible to exfiltrate data or control request headers, but it might be possible to use the attack to perform an internal port enumeration. This issue has been addressed in in 9e57334, 8936925, 3d531ed, 0f00412. A potential workaround would be to use a firewall to ensure that Sydent cannot reach internal HTTP resources.

Action-Not Available
Vendor-The Matrix.org Foundation
Product-sydentsydent
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CWE ID-CWE-20
Improper Input Validation
CVE-2026-3052
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.30% / 21.53%
||
7 Day CHG~0.00%
Published-24 Feb, 2026 | 01:32
Updated-28 Feb, 2026 | 02:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
DataLinkDC dinky Flink Proxy Controller FlinkProxyController.java proxyUba server-side request forgery

A vulnerability was found in DataLinkDC dinky up to 1.2.5. The impacted element is the function proxyUba of the file dinky-admin/src/main/java/org/dinky/controller/FlinkProxyController.java of the component Flink Proxy Controller. Performing a manipulation results in server-side request forgery. It is possible to initiate the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-dinkyDataLinkDC
Product-dinkydinky
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2026-29925
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.7||HIGH
EPSS-0.32% / 23.30%
||
7 Day CHG~0.00%
Published-30 Mar, 2026 | 00:00
Updated-02 Apr, 2026 | 16:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Invoice Ninja v5.12.46 and v5.12.48 is vulnerable to Server-Side Request Forgery (SSRF) in CheckDatabaseRequest.php.

Action-Not Available
Vendor-invoiceninjan/a
Product-invoice_ninjan/a
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2026-27706
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.7||HIGH
EPSS-0.21% / 11.58%
||
7 Day CHG~0.00%
Published-25 Feb, 2026 | 15:56
Updated-27 Feb, 2026 | 17:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Plane Vulnerable to Full Read SSRF via Favicon Fetching in "Add Link" Feature

Plane is an an open-source project management tool. Prior to version 1.2.2, a Full Read Server-Side Request Forgery (SSRF) vulnerability has been identified in the "Add Link" feature. This flaw allows an authenticated attacker with general user privileges to send arbitrary GET requests to the internal network and exfiltrate the full response body. By exploiting this vulnerability, an attacker can steal sensitive data from internal services and cloud metadata endpoints. Version 1.2.2 fixes the issue.

Action-Not Available
Vendor-planemakeplane
Product-planeplane
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2026-27479
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.7||HIGH
EPSS-0.31% / 22.50%
||
7 Day CHG~0.00%
Published-21 Feb, 2026 | 08:15
Updated-24 Feb, 2026 | 18:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Wallos: SSRF via Redirect Bypass in Logo/Icon URL Fetch

Wallos is an open-source, self-hostable personal subscription tracker. Versions 4.6.0 and below contain a Server-Side Request Forgery (SSRF) vulnerability in the subscription and payment logo/icon upload functionality. The application validates the IP address of the provided URL before making the request, but allows HTTP redirects (CURLOPT_FOLLOWLOCATION = true), enabling an attacker to bypass the IP validation and access internal resources, including cloud instance metadata endpoints. The getLogoFromUrl() function validates the URL by resolving the hostname and checking if the resulting IP is in a private or reserved range using FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE. However, the subsequent cURL request is configured with CURLOPT_FOLLOWLOCATION = true and CURLOPT_MAXREDIRS = 3, which means the request will follow HTTP redirects without re-validating the destination IP. This issue has been fixed in version 4.6.1.

Action-Not Available
Vendor-wallosappellite
Product-wallosWallos
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2026-25991
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.7||HIGH
EPSS-0.28% / 20.15%
||
7 Day CHG~0.00%
Published-13 Feb, 2026 | 18:29
Updated-17 Feb, 2026 | 16:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Tandoor Recipes affected by Blind SSRF with Internal Network Access via Recipe Import

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.5.1, there is a Blind Server-Side Request Forgery (SSRF) vulnerability in the Cookmate recipe import feature of Tandoor Recipes. The application fails to validate the destination URL after following HTTP redirects, allowing any authenticated user (including standard users without administrative privileges) to force the server to connect to arbitrary internal or external resources. The vulnerability lies in cookbook/integration/cookmate.py, within the Cookmate integration class. This vulnerability can be leveraged to scan internal network ports, access cloud instance metadata (e.g., AWS/GCP Metadata Service), or disclose the server's real IP address. This vulnerability is fixed in 2.5.1.

Action-Not Available
Vendor-tandoorTandoorRecipes
Product-recipesrecipes
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2021-22255
Matching Score-4
Assigner-GitLab Inc.
ShareView Details
Matching Score-4
Assigner-GitLab Inc.
CVSS Score-7.7||HIGH
EPSS-1.29% / 66.69%
||
7 Day CHG~0.00%
Published-20 Aug, 2021 | 17:53
Updated-03 Aug, 2024 | 18:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SSRF in URL file upload in Baserow <1.1.0 allows remote authenticated users to retrieve files from the internal server network exposed over HTTP by inserting an internal address.

Action-Not Available
Vendor-baserowBaserow B.V.
Product-baserowBaserow
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2021-21287
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.7||HIGH
EPSS-24.78% / 97.63%
||
7 Day CHG~0.00%
Published-01 Feb, 2021 | 17:15
Updated-03 Aug, 2024 | 18:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Server-Side Request Forgery in MinIO Browser API

MinIO is a High Performance Object Storage released under Apache License v2.0. In MinIO before version RELEASE.2021-01-30T00-20-58Z there is a server-side request forgery vulnerability. The target application may have functionality for importing data from a URL, publishing data to a URL, or otherwise reading data from a URL that can be tampered with. The attacker modifies the calls to this functionality by supplying a completely different URL or by manipulating how URLs are built (path traversal etc.). In a Server-Side Request Forgery (SSRF) attack, the attacker can abuse functionality on the server to read or update internal resources. The attacker can supply or modify a URL which the code running on the server will read or submit data, and by carefully selecting the URLs, the attacker may be able to read server configuration such as AWS metadata, connect to internal services like HTTP enabled databases, or perform post requests towards internal services which are not intended to be exposed. This is fixed in version RELEASE.2021-01-30T00-20-58Z, all users are advised to upgrade. As a workaround you can disable the browser front-end with "MINIO_BROWSER=off" environment variable.

Action-Not Available
Vendor-miniominio
Product-miniominio
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2025-26494
Matching Score-4
Assigner-Salesforce, Inc.
ShareView Details
Matching Score-4
Assigner-Salesforce, Inc.
CVSS Score-7.7||HIGH
EPSS-0.53% / 40.72%
||
7 Day CHG~0.00%
Published-11 Feb, 2025 | 17:33
Updated-29 Oct, 2025 | 15:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Server Side Request Forgery vulnerability in Tableau Server

Server-Side Request Forgery (SSRF) vulnerability in Salesforce Tableau Server allows Authentication Bypass.This issue affects Tableau Server: from 2023.3 through 2023.3.5.

Action-Not Available
Vendor-tableauSalesforce
Product-tableau_serverTableau Server
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2026-23529
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.7||HIGH
EPSS-0.38% / 29.55%
||
7 Day CHG~0.00%
Published-16 Jan, 2026 | 16:53
Updated-26 Jan, 2026 | 15:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Arbitrary File Read in Google BigQuery Sink connector

Kafka Connect BigQuery Connector is an implementation of a sink connector from Apache Kafka to Google BigQuery. Prior to 2.11.0, there is an arbitrary file read in Google BigQuery Sink connector. Aiven's Google BigQuery Kafka Connect Sink connector requires Google Cloud credential configurations for authentication to BigQuery services. During connector configuration, users can supply credential JSON files that are processed by Google authentication libraries. The service fails to validate externally-sourced credential configurations before passing them to the authentication libraries. An attacker can exploit this by providing a malicious credential configuration containing crafted credential_source.file paths or credential_source.url endpoints, resulting in arbitrary file reads or SSRF attacks.

Action-Not Available
Vendor-Aiven
Product-bigquery-connector-for-apache-kafka
CWE ID-CWE-73
External Control of File Name or Path
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2026-22664
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-7.1||HIGH
EPSS-0.30% / 21.83%
||
7 Day CHG~0.00%
Published-03 Apr, 2026 | 20:27
Updated-26 May, 2026 | 14:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
prompts.chat SSRF via Fal.ai Media Status Polling

prompts.chat prior to commit 30a8f04 contains a server-side request forgery vulnerability in the Fal.ai media status polling feature that allows authenticated users to perform arbitrary outbound requests by supplying attacker-controlled URLs in the token parameter. Attackers can exploit the lack of URL validation to disclose the FAL_API_KEY in the Authorization header, enabling credential theft, internal network probing, and abuse of the victim's Fal.ai account.

Action-Not Available
Vendor-fkaf
Product-prompts.chatprompts.chat
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2026-21433
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.7||HIGH
EPSS-0.27% / 19.23%
||
7 Day CHG~0.00%
Published-02 Jan, 2026 | 19:00
Updated-16 Jan, 2026 | 18:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Emlog vulnerable to Server-Side Request Forgery (SSRF)

Emlog is an open source website building system. Versions up to and including 2.5.19 are vulnerable to server-side Out-of-Band (OOB) requests / SSRF via uploaded SVG files. An attacker can upload a crafted SVG to http[:]//emblog/admin/media[.]php which contains external resource references. When the server processes/renders the SVG (thumbnailing, preview, or sanitization), it issues an HTTP request to the attacker-controlled host. Impact: server-side SSRF/OOB leading to internal network probing and potential metadata/credential exposure. As of time of publication, no known patched versions are available.

Action-Not Available
Vendor-emlogemlog
Product-emlogemlog
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2026-21887
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.7||HIGH
EPSS-0.21% / 11.50%
||
7 Day CHG~0.00%
Published-12 Mar, 2026 | 17:00
Updated-19 Mar, 2026 | 17:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
OpenCTI has a Semi-Blind SSRF via Unvalidated External URL in Data Ingestion Feature

OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to 6.8.16, the OpenCTI platform’s data ingestion feature accepts user-supplied URLs without validation and uses the Axios HTTP client with its default configuration (allowAbsoluteUrls: true). This allows attackers to craft requests to arbitrary endpoints, including internal services, because Axios will accept and process absolute URLs. This results in a semi-blind SSRF, as responses may not be fully visible but can still impact internal systems. This vulnerability is fixed in 6.8.16.

Action-Not Available
Vendor-citeumOpenCTI-Platform
Product-openctiopencti
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2026-22219
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-8.3||HIGH
EPSS-4.44% / 90.23%
||
7 Day CHG~0.00%
Published-19 Jan, 2026 | 23:15
Updated-05 Mar, 2026 | 01:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Chainlit < 2.9.4 SQLAlchemy Data Layer SSRF via /project/element

Chainlit versions prior to 2.9.4 contain a server-side request forgery (SSRF) vulnerability in the /project/element update flow when configured with the SQLAlchemy data layer backend. An authenticated client can provide a user-controlled url value in an Element, which is fetched by the SQLAlchemy element creation logic using an outbound HTTP GET request. This allows an attacker to make arbitrary HTTP requests from the Chainlit server to internal network services or cloud metadata endpoints and store the retrieved responses via the configured storage provider.

Action-Not Available
Vendor-chainlitChainlit
Product-chainlitChainlit
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2026-10107
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-7||HIGH
EPSS-0.25% / 16.26%
||
7 Day CHG~0.00%
Published-29 May, 2026 | 16:41
Updated-23 Jun, 2026 | 16:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
MoviePilot v2 SSRF via /api/v1/system/img/{proxy} Endpoint

MoviePilot v2 contains a server-side request forgery vulnerability in the image proxy endpoint that allows authenticated attackers to request arbitrary URLs by supplying a resource_token cookie and a URL whose domain matches the assembled allowlist. Attackers can bypass internal network protections because the SecurityUtils.is_safe_url function performs only domain-membership checking without blocking private, loopback, or link-local addresses, enabling enumeration of internal services such as Jellyfin, Emby, or Plex and exfiltration of data from internal network resources.

Action-Not Available
Vendor-jxxghp
Product-MoviePilot
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2025-0474
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-7.7||HIGH
EPSS-0.38% / 30.42%
||
7 Day CHG~0.00%
Published-14 Jan, 2025 | 18:50
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Invoice Ninja PDF Rendering Server Side Request Forgery

Invoice Ninja is vulnerable to authenticated Server-Side Request Forgery (SSRF) allowing for arbitrary file read and network resource requests as the application user. This issue affects Invoice Ninja: from 5.8.56 through 5.11.23.

Action-Not Available
Vendor-Invoice Ninja
Product-Invoice Ninja
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2024-49521
Matching Score-4
Assigner-Adobe Systems Incorporated
ShareView Details
Matching Score-4
Assigner-Adobe Systems Incorporated
CVSS Score-7.7||HIGH
EPSS-0.65% / 46.74%
||
7 Day CHG~0.00%
Published-12 Nov, 2024 | 16:41
Updated-18 Nov, 2024 | 18:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Adobe Commerce | Server-Side Request Forgery (SSRF) (CWE-918)

Adobe Commerce versions 3.2.5 and earlier are affected by a Server-Side Request Forgery (SSRF) vulnerability that could lead to a security feature bypass. A low privileged attacker could exploit this vulnerability to send crafted requests from the vulnerable server to internal systems, which could result in the bypassing of security measures such as firewalls. Exploitation of this issue does not require user interaction.

Action-Not Available
Vendor-Adobe Inc.
Product-magentocommerceAdobe Commerce
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2024-4851
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-7.7||HIGH
EPSS-0.58% / 43.26%
||
7 Day CHG~0.00%
Published-06 Jun, 2024 | 18:39
Updated-17 Oct, 2024 | 18:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SSRF Vulnerability in stangirard/quivr

A Server-Side Request Forgery (SSRF) vulnerability exists in the stangirard/quivr application, version 0.0.204, which allows attackers to access internal networks. The vulnerability is present in the crawl endpoint where the 'url' parameter can be manipulated to send HTTP requests to arbitrary URLs, thereby facilitating SSRF attacks. The affected code is located in the backend/routes/crawl_routes.py file, specifically within the crawl_endpoint function. This issue could allow attackers to interact with internal services that are accessible from the server hosting the application.

Action-Not Available
Vendor-quivrstangirardquivr
Product-quivrstangirard/quivrquivr
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2020-26258
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-6.3||MEDIUM
EPSS-82.24% / 99.62%
||
7 Day CHG+0.80%
Published-16 Dec, 2020 | 01:05
Updated-23 May, 2025 | 16:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Server-Side Forgery Request can be activated unmarshalling with XStream

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.15, a Server-Side Forgery Request vulnerability can be activated when unmarshalling. The vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.15. The reported vulnerability does not exist if running Java 15 or higher. No user is affected who followed the recommendation to setup XStream's Security Framework with a whitelist! Anyone relying on XStream's default blacklist can immediately switch to a whilelist for the allowed types to avoid the vulnerability. Users of XStream 1.4.14 or below who still want to use XStream default blacklist can use a workaround described in more detailed in the referenced advisories.

Action-Not Available
Vendor-xstreamx-streamFedora ProjectThe Apache Software FoundationDebian GNU/Linux
Product-debian_linuxstrutsfedoraxstreamxstream
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2024-45290
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.7||HIGH
EPSS-0.58% / 43.44%
||
7 Day CHG~0.00%
Published-07 Oct, 2024 | 20:12
Updated-16 Oct, 2024 | 19:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Path traversal and Server-Side Request Forgery when opening XLSX files in PHPSpreadsheet

PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. It's possible for an attacker to construct an XLSX file which links media from external URLs. When opening the XLSX file, PhpSpreadsheet retrieves the image size and type by reading the file contents, if the provided path is a URL. By using specially crafted `php://filter` URLs an attacker can leak the contents of any file or URL. Note that this vulnerability is different from GHSA-w9xv-qf98-ccq4, and resides in a different component. An attacker can access any file on the server, or leak information form arbitrary URLs, potentially exposing sensitive information such as AWS IAM credentials. This issue has been addressed in release versions 1.29.2, 2.1.1, and 2.3.0. All users are advised to upgrade. There are no known workarounds for this vulnerability.

Action-Not Available
Vendor-PHPOffice
Product-phpspreadsheetPhpSpreadsheetphpspreadsheet
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CWE ID-CWE-36
Absolute Path Traversal
CVE-2021-39195
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.7||HIGH
EPSS-1.06% / 60.48%
||
7 Day CHG+0.03%
Published-07 Sep, 2021 | 19:00
Updated-04 Aug, 2024 | 01:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Server-Side Request Forgery vulnerability in misskey

Misskey is an open source, decentralized microblogging platform. In affected versions a Server-Side Request Forgery vulnerability exists in "Upload from URL" and remote attachment handling. This could result in the disclosure of non-public information within the internal network. This has been fixed in 12.90.0. However, if you are using a proxy, you will need to take additional measures. As a workaround this exploit may be avoided by appropriately restricting access to private networks from the host where the application is running.

Action-Not Available
Vendor-misskeymisskey-dev
Product-misskeymisskey
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2024-39598
Matching Score-4
Assigner-SAP SE
ShareView Details
Matching Score-4
Assigner-SAP SE
CVSS Score-5||MEDIUM
EPSS-0.31% / 22.69%
||
7 Day CHG~0.00%
Published-09 Jul, 2024 | 04:04
Updated-29 Aug, 2024 | 19:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
[Multiple CVEs] Multiple vulnerabilities in SAP CRM (WebClient UI)

SAP CRM (WebClient UI Framework) allows an authenticated attacker to enumerate accessible HTTP endpoints in the internal network by specially crafting HTTP requests. On successful exploitation this can result in information disclosure. It has no impact on integrity and availability of the application.

Action-Not Available
Vendor-SAP SE
Product-customer_relationship_management_s4fndcustomer_relationship_management_webclient_uiSAP CRM WebClient UI
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2026-45548
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.7||HIGH
EPSS-0.26% / 17.08%
||
7 Day CHG~0.00%
Published-27 May, 2026 | 17:11
Updated-27 May, 2026 | 20:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Budibase: SSRF in AI Extract File Automation Step via Missing IP Blacklist Validation

Budibase is an open-source low-code platform. Prior to 3.34.8, the processUrlFile function in packages/server/src/automations/steps/ai/extract.ts uses fetch(fileUrl) directly without the IP blacklist validation that is consistently applied to all other automation steps. This allows an authenticated user to trigger server-side requests to internal network addresses. This vulnerability is fixed in 3.34.8.

Action-Not Available
Vendor-Budibase
Product-budibase
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2026-43573
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-4.9||MEDIUM
EPSS-0.25% / 16.56%
||
7 Day CHG~0.00%
Published-05 May, 2026 | 11:25
Updated-07 May, 2026 | 17:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
OpenClaw < 2026.4.10 - SSRF Policy Bypass in Existing-Session Browser Interaction Routes

OpenClaw before 2026.4.10 contains a server-side request forgery policy bypass vulnerability in existing-session browser interaction routes. Attackers can bypass SSRF navigation guards to interact with or navigate to unauthorized targets without policy enforcement.

Action-Not Available
Vendor-OpenClaw
Product-openclawOpenClaw
CWE ID-CWE-862
Missing Authorization
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2026-43576
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-4.9||MEDIUM
EPSS-0.27% / 17.91%
||
7 Day CHG~0.00%
Published-06 May, 2026 | 19:49
Updated-07 May, 2026 | 17:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
OpenClaw < 2026.4.5 - Second-hop SSRF via CDP /json/version WebSocket URL

OpenClaw before 2026.4.5 contains a server-side request forgery vulnerability in the CDP /json/version WebSocket endpoint that allows attackers to pivot to untrusted second-hop targets. The webSocketDebuggerUrl response field is not properly validated, enabling attackers to redirect connections to arbitrary hosts and perform SSRF-style attacks.

Action-Not Available
Vendor-OpenClaw
Product-openclawOpenClaw
CWE ID-CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2026-43527
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-6.3||MEDIUM
EPSS-0.28% / 19.80%
||
7 Day CHG~0.00%
Published-05 May, 2026 | 11:24
Updated-07 May, 2026 | 13:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
OpenClaw < 2026.4.14 - Server-Side Request Forgery via Private Network Navigation

OpenClaw before 2026.4.14 contains a server-side request forgery vulnerability in browser SSRF policy that allows private-network navigation by default. Attackers can exploit this misconfiguration to access internal services or metadata endpoints through browser-driven requests.

Action-Not Available
Vendor-OpenClaw
Product-openclawOpenClaw
CWE ID-CWE-1188
Initialization of a Resource with an Insecure Default
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2026-42345
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.7||HIGH
EPSS-0.21% / 11.59%
||
7 Day CHG~0.00%
Published-08 May, 2026 | 22:11
Updated-13 May, 2026 | 17:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
FastGPT: Cloud metadata endpoint SSRF protection bypass via port specification, IPv6 mapping, hex/decimal IP encoding, and trailing dot

FastGPT is an AI Agent building platform. In versions 4.14.11 and prior, FastGPT's isInternalAddress() function in packages/service/common/system/utils.ts blocks cloud metadata endpoints using a fullUrl.startsWith() check against a hardcoded list. This check can be bypassed using at least 7 different URL encoding techniques, all of which resolve to the same cloud metadata service but do not match the blocklist patterns. Additionally, the broader private IP check (isInternalIPv4/isInternalIPv6) is disabled by default because CHECK_INTERNAL_IP defaults to false (not 'true'), so these bypasses reach the metadata endpoint without any further validation. At time of publication, there are no publicly available patches.

Action-Not Available
Vendor-Labring Computing Co., LTD.
Product-FastGPT
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2025-68477
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.7||HIGH
EPSS-5.76% / 92.17%
||
7 Day CHG~0.00%
Published-19 Dec, 2025 | 16:43
Updated-19 Dec, 2025 | 18:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Langflow vulnerable to Server-Side Request Forgery

Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.7.0, Langflow provides an API Request component that can issue arbitrary HTTP requests within a flow. This component takes a user-supplied URL, performs only normalization and basic format checks, and then sends the request using a server-side httpx client. It does not block private IP ranges (127[.]0[.]0[.]1, the 10/172/192 ranges) or cloud metadata endpoints (169[.]254[.]169[.]254), and it returns the response body as the result. Because the flow execution endpoints (/api/v1/run, /api/v1/run/advanced) can be invoked with just an API key, if an attacker can control the API Request URL in a flow, non-blind SSRF is possible—accessing internal resources from the server’s network context. This enables requests to, and collection of responses from, internal administrative endpoints, metadata services, and internal databases/services, leading to information disclosure and providing a foothold for further attacks. Version 1.7.0 contains a patch for this issue.

Action-Not Available
Vendor-langflow-ai
Product-langflow
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2026-40348
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.7||HIGH
EPSS-0.38% / 29.91%
||
7 Day CHG~0.00%
Published-18 Apr, 2026 | 00:01
Updated-27 Apr, 2026 | 14:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Movary has Authenticated SSRF via Jellyfin Server URL Verification that Allows Internal Network Probing

Movary is a self hosted web app to track and rate a user's watched movies. Prior to version 0.71.1, an ordinary authenticated user can trigger server-side requests to arbitrary internal targets through `POST /settings/jellyfin/server-url-verify`. The endpoint accepts a user-controlled URL, appends `/system/info/public`, and sends a server-side HTTP request with Guzzle. Because there is no restriction on internal hosts, loopback addresses, or private network ranges, this can be abused for SSRF and internal network probing. Any ordinary authenticated user can use this endpoint to make the server connect to arbitrary internal targets and distinguish between different network states. This enables SSRF-based internal reconnaissance, including host discovery, port-state probing, and service fingerprinting. In certain deployments, it may also be usable to reach internal administrative services or cloud metadata endpoints that are not directly accessible from the outside. Version 0.71.1 fixes the issue.

Action-Not Available
Vendor-leepeukerleepeuker
Product-movarymovary
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2026-40150
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.7||HIGH
EPSS-0.27% / 18.51%
||
7 Day CHG~0.00%
Published-09 Apr, 2026 | 21:26
Updated-24 Apr, 2026 | 14:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
PraisonAIAgents has SSRF and Local File Read via Unvalidated URLs in web_crawl Tool

PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, the web_crawl() function in praisonaiagents/tools/web_crawl_tools.py accepts arbitrary URLs from AI agents with zero validation. No scheme allowlisting, hostname/IP blocklisting, or private network checks are applied before fetching. This allows an attacker (or prompt injection in crawled content) to force the agent to fetch cloud metadata endpoints, internal services, or local files via file:// URLs. This vulnerability is fixed in 1.5.128.

Action-Not Available
Vendor-praisonMervinPraison
Product-praisonaiagentsPraisonAIAgents
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2026-39843
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.7||HIGH
EPSS-0.25% / 15.69%
||
7 Day CHG~0.00%
Published-09 Apr, 2026 | 15:43
Updated-17 Apr, 2026 | 20:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Plane has a Server-Side Request Forgery (SSRF) in Favicon Fetching

Plane is an an open-source project management tool. From 0.28.0 to before 1.3.0, the remediation of GHSA-jcc6-f9v6-f7jw is incomplete which could lead to the same full read Server-Side Request Forgery when a normal html page contains a link tag with an href that redirects to a private IP address is supplied to Add link by an authenticated attacker with low privileges. Redirects for the main page URL are validated, but not the favicon fetch path. fetch_and_encode_favicon() still uses requests.get(favicon_url, ...) with the default redirect-following. This vulnerability is fixed in 1.3.0.

Action-Not Available
Vendor-planemakeplane
Product-planeplane
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2026-39361
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.7||HIGH
EPSS-0.27% / 17.89%
||
7 Day CHG~0.00%
Published-07 Apr, 2026 | 19:02
Updated-14 Apr, 2026 | 20:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
OpenObserve has a SSRF Protection Bypass via IPv6 Bracket Notation in validate_enrichment_url

OpenObserve is a cloud-native observability platform. In 0.70.3 and earlier, the validate_enrichment_url function in src/handler/http/request/enrichment_table/mod.rs fails to block IPv6 addresses because Rust's url crate returns them with surrounding brackets (e.g. "[::1]" not "::1"). An authenticated attacker can reach internal services blocked from external access. On cloud deployments this enables retrieval of IAM credentials via AWS IMDSv1 (169.254.169.254), GCP metadata, or Azure IMDS. On self-hosted deployments it allows probing internal network services.

Action-Not Available
Vendor-openobserveopenobserve
Product-openobserveopenobserve
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2026-34746
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.7||HIGH
EPSS-0.30% / 21.34%
||
7 Day CHG~0.00%
Published-01 Apr, 2026 | 19:43
Updated-13 Apr, 2026 | 18:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Payload has Authenticated SSRF via Upload Functionality

Payload is a free and open source headless content management system. Prior to version 3.79.1, an authenticated Server-Side Request Forgery (SSRF) vulnerability exists in the upload functionality. Authenticated users with create or update access to an upload-enabled collection could cause the server to make outbound HTTP requests to arbitrary URLs. This issue has been patched in version 3.79.1.

Action-Not Available
Vendor-payloadcmspayloadcms
Product-payloadpayload
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2026-35187
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.7||HIGH
EPSS-0.27% / 18.49%
||
7 Day CHG~0.00%
Published-06 Apr, 2026 | 19:33
Updated-20 Apr, 2026 | 17:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
pyLoad has SSRF in parse_urls API endpoint via unvalidated URL parameter

pyLoad is a free and open-source download manager written in Python. In 0.5.0b3.dev96 and earlier, the parse_urls API function in src/pyload/core/api/__init__.py fetches arbitrary URLs server-side via get_url(url) (pycurl) without any URL validation, protocol restriction, or IP blacklist. An authenticated user with ADD permission can make HTTP/HTTPS requests to internal network resources and cloud metadata endpoints, read local files via file:// protocol (pycurl reads the file server-side), interact with internal services via gopher:// and dict:// protocols, and enumerate file existence via error-based oracle (error 37 vs empty response).

Action-Not Available
Vendor-pyload-ng_projectpyload
Product-pyload-ngpyload
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2026-30953
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.7||HIGH
EPSS-0.22% / 12.25%
||
7 Day CHG~0.00%
Published-10 Mar, 2026 | 20:38
Updated-17 Mar, 2026 | 16:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
LinkAce affected by SSRF via link creation: NoPrivateIpRule not applied to LinkStoreRequest

LinkAce is a self-hosted archive to collect website links. When a user creates a link via POST /links, the server fetches HTML metadata from the provided URL (LinkRepository::create() calls HtmlMeta::getFromUrl()). The LinkStoreRequest validation rules do not include NoPrivateIpRule, allowing server-side requests to internal network addresses, Docker service hostnames, and cloud metadata endpoints. The project already has a NoPrivateIpRule class (app/Rules/NoPrivateIpRule.php) but it is only applied in FetchController.php (line 99), not in the primary link creation path.

Action-Not Available
Vendor-linkaceKovah
Product-linkaceLinkAce
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2024-36414
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.7||HIGH
EPSS-0.36% / 28.22%
||
7 Day CHG~0.00%
Published-10 Jun, 2024 | 19:40
Updated-02 Aug, 2024 | 03:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SuiteCRM authenticated Server-Side Request Forgery

SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a vulnerability in the connectors file verification allows for a server-side request forgery attack. Versions 7.14.4 and 8.6.1 contain a fix for this issue.

Action-Not Available
Vendor-SalesAgility Ltd.
Product-suitecrmSuiteCRM
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
  • Previous
  • 1
  • 2
  • Next
Details not found