Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-56399

Summary
Assigner-VulnCheck
Assigner Org ID-83251b91-4cc7-4094-a5c7-464a1b83ea10
Published At-30 Jun, 2026 | 22:08
Updated At-01 Jul, 2026 | 14:28
Rejected At-
Credits

Open WebUI - Server-Side Request Forgery via Location Redirect in /api/v1/retrieval/process/web

Open WebUI before 0.6.27 contains a server-side request forgery vulnerability in the /api/v1/retrieval/process/web endpoint that allows authenticated users to bypass SSRF protections. Attackers can manipulate URL parameters with location redirect headers to access internal services and potentially execute commands via instance secrets.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
â–ĽCommon Vulnerabilities and Exposures (CVE)
cve.org
Assigner:VulnCheck
Assigner Org ID:83251b91-4cc7-4094-a5c7-464a1b83ea10
Published At:30 Jun, 2026 | 22:08
Updated At:01 Jul, 2026 | 14:28
Rejected At:
â–ĽCVE Numbering Authority (CNA)
Open WebUI - Server-Side Request Forgery via Location Redirect in /api/v1/retrieval/process/web

Open WebUI before 0.6.27 contains a server-side request forgery vulnerability in the /api/v1/retrieval/process/web endpoint that allows authenticated users to bypass SSRF protections. Attackers can manipulate URL parameters with location redirect headers to access internal services and potentially execute commands via instance secrets.

Affected Products
Vendor
open-webui
Product
open-webui
Default Status
unaffected
Versions
Affected
  • From 0 before 0.6.27 (semver)
Unaffected
  • 0.6.27 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-918Server-Side Request Forgery (SSRF)
Type: CWE
CWE ID: CWE-918
Description: Server-Side Request Forgery (SSRF)
Metrics
VersionBase scoreBase severityVector
4.05.3MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N
3.15.0MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Version: 4.0
Base score: 5.3
Base severity: MEDIUM
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N
Version: 3.1
Base score: 5.0
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

reporter
Mosstrow
Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://github.com/open-webui/open-webui/security/advisories/GHSA-82r6-c5jm-f3mw
vendor-advisory
https://github.com/open-webui/open-webui/commit/02238d3113e966c353fce18f1b65117380896774
patch
https://www.vulncheck.com/advisories/open-webui-server-side-request-forgery-via-location-redirect-in-api-v1-retrieval-process-web
third-party-advisory
Hyperlink: https://github.com/open-webui/open-webui/security/advisories/GHSA-82r6-c5jm-f3mw
Resource:
vendor-advisory
Hyperlink: https://github.com/open-webui/open-webui/commit/02238d3113e966c353fce18f1b65117380896774
Resource:
patch
Hyperlink: https://www.vulncheck.com/advisories/open-webui-server-side-request-forgery-via-location-redirect-in-api-v1-retrieval-process-web
Resource:
third-party-advisory
â–ĽAuthorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://github.com/open-webui/open-webui/security/advisories/GHSA-82r6-c5jm-f3mw
exploit
Hyperlink: https://github.com/open-webui/open-webui/security/advisories/GHSA-82r6-c5jm-f3mw
Resource:
exploit
Information is not available yet
â–ĽNational Vulnerability Database (NVD)
nvd.nist.gov
Source:disclosure@vulncheck.com
Published At:30 Jun, 2026 | 23:17
Updated At:02 Jul, 2026 | 18:00

Open WebUI before 0.6.27 contains a server-side request forgery vulnerability in the /api/v1/retrieval/process/web endpoint that allows authenticated users to bypass SSRF protections. Attackers can manipulate URL parameters with location redirect headers to access internal services and potentially execute commands via instance secrets.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.05.3MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Secondary3.15.0MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
N/A
Type: Secondary
Version: 4.0
Base score: 5.3
Base severity: MEDIUM
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Type: Secondary
Version: 3.1
Base score: 5.0
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Type: N/A
Version:
Base score:
Base severity: N/A
Vector:
CPE Matches

Weaknesses
CWE IDTypeSource
CWE-918Secondarydisclosure@vulncheck.com
CWE ID: CWE-918
Type: Secondary
Source: disclosure@vulncheck.com
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://github.com/open-webui/open-webui/commit/02238d3113e966c353fce18f1b65117380896774disclosure@vulncheck.com
N/A
https://github.com/open-webui/open-webui/security/advisories/GHSA-82r6-c5jm-f3mwdisclosure@vulncheck.com
N/A
https://www.vulncheck.com/advisories/open-webui-server-side-request-forgery-via-location-redirect-in-api-v1-retrieval-process-webdisclosure@vulncheck.com
N/A
https://github.com/open-webui/open-webui/security/advisories/GHSA-82r6-c5jm-f3mw134c704f-9b21-4f2e-91b3-4a467353bcc0
N/A
Hyperlink: https://github.com/open-webui/open-webui/commit/02238d3113e966c353fce18f1b65117380896774
Source: disclosure@vulncheck.com
Resource: N/A
Hyperlink: https://github.com/open-webui/open-webui/security/advisories/GHSA-82r6-c5jm-f3mw
Source: disclosure@vulncheck.com
Resource: N/A
Hyperlink: https://www.vulncheck.com/advisories/open-webui-server-side-request-forgery-via-location-redirect-in-api-v1-retrieval-process-web
Source: disclosure@vulncheck.com
Resource: N/A
Hyperlink: https://github.com/open-webui/open-webui/security/advisories/GHSA-82r6-c5jm-f3mw
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

79Records found

CVE-2024-52602
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5||MEDIUM
EPSS-0.55% / 42.03%
||
7 Day CHG~0.00%
Published-16 Jan, 2025 | 19:14
Updated-20 Aug, 2025 | 14:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Server-Side Request Forgery (SSRF) on redirects and federation in Matrix Media Repo

Matrix Media Repo (MMR) is a highly configurable multi-homeserver media repository for Matrix. Matrix Media Repo (MMR) is vulnerable to server-side request forgery, serving content from a private network it can access, under certain conditions. This is fixed in MMR v1.3.8. Users are advised to upgrade. Restricting which hosts MMR is allowed to contact via (local) firewall rules or a transparent proxy and may provide a workaround for users unable to upgrade.

Action-Not Available
Vendor-t2bott2bot
Product-matrix-media-repomatrix-media-repo
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2021-22178
Matching Score-4
Assigner-GitLab Inc.
ShareView Details
Matching Score-4
Assigner-GitLab Inc.
CVSS Score-5||MEDIUM
EPSS-1.11% / 62.02%
||
7 Day CHG~0.00%
Published-24 Mar, 2021 | 16:59
Updated-03 Aug, 2024 | 18:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue has been discovered in GitLab affecting all versions starting from 13.2. Gitlab was vulnerable to SRRF attack through the Prometheus integration.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2024-46990
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5||MEDIUM
EPSS-0.46% / 36.86%
||
7 Day CHG~0.00%
Published-18 Sep, 2024 | 16:55
Updated-17 Nov, 2025 | 18:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SSRF Loopback IP filter bypass in directus

Directus is a real-time API and App dashboard for managing SQL database content. When relying on blocking access to localhost using the default `0.0.0.0` filter a user may bypass this block by using other registered loopback devices (like `127.0.0.2` - `127.127.127.127`). This issue has been addressed in release versions 10.13.3 and 11.1.0. Users are advised to upgrade. Users unable to upgrade may block this bypass by manually adding the `127.0.0.0/8` CIDR range which will block access to any `127.X.X.X` ip instead of just `127.0.0.1`.

Action-Not Available
Vendor-monospacedirectus
Product-directusdirectus
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2024-41737
Matching Score-4
Assigner-SAP SE
ShareView Details
Matching Score-4
Assigner-SAP SE
CVSS Score-5||MEDIUM
EPSS-0.26% / 17.55%
||
7 Day CHG~0.00%
Published-13 Aug, 2024 | 03:55
Updated-12 Sep, 2024 | 13:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Server-Side Request Forgery (SSRF) in SAP CRM ABAP (Insights Management)

SAP CRM ABAP (Insights Management) allows an authenticated attacker to enumerate HTTP endpoints in the internal network by specially crafting HTTP requests. On successful exploitation this can result in information disclosure. It has no impact on integrity and availability of the application.

Action-Not Available
Vendor-SAP SE
Product-crm_abap_insights_managementSAP CRM ABAP (Insights Management)
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2024-39598
Matching Score-4
Assigner-SAP SE
ShareView Details
Matching Score-4
Assigner-SAP SE
CVSS Score-5||MEDIUM
EPSS-0.31% / 22.69%
||
7 Day CHG~0.00%
Published-09 Jul, 2024 | 04:04
Updated-29 Aug, 2024 | 19:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
[Multiple CVEs] Multiple vulnerabilities in SAP CRM (WebClient UI)

SAP CRM (WebClient UI Framework) allows an authenticated attacker to enumerate accessible HTTP endpoints in the internal network by specially crafting HTTP requests. On successful exploitation this can result in information disclosure. It has no impact on integrity and availability of the application.

Action-Not Available
Vendor-SAP SE
Product-customer_relationship_management_s4fndcustomer_relationship_management_webclient_uiSAP CRM WebClient UI
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2020-9427
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5||MEDIUM
EPSS-1.12% / 62.27%
||
7 Day CHG~0.00%
Published-15 Jun, 2020 | 14:52
Updated-04 Aug, 2024 | 10:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

OX Guard 2.10.3 and earlier allows SSRF.

Action-Not Available
Vendor-n/aOpen-Xchange AG
Product-ox_guardn/a
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2020-8118
Matching Score-4
Assigner-HackerOne
ShareView Details
Matching Score-4
Assigner-HackerOne
CVSS Score-5||MEDIUM
EPSS-1.29% / 66.64%
||
7 Day CHG~0.00%
Published-04 Feb, 2020 | 19:08
Updated-04 Aug, 2024 | 09:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An authenticated server-side request forgery in Nextcloud server 16.0.1 allowed to detect local and remote services when adding a new subscription in the calendar application.

Action-Not Available
Vendor-n/aNovellopenSUSENextcloud GmbH
Product-nextcloud_serversuse_linux_enterprise_serverbackports_sleNextcloud Server
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2020-36232
Matching Score-4
Assigner-Atlassian
ShareView Details
Matching Score-4
Assigner-Atlassian
CVSS Score-5||MEDIUM
EPSS-0.97% / 57.75%
||
7 Day CHG~0.00%
Published-22 Feb, 2021 | 20:46
Updated-17 Sep, 2024 | 01:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The MessageBundleWhiteList class of atlassian-gadgets before version 4.2.37, from version 4.3.0 before 4.3.14, from version 4.3.2.0 before 4.3.2.4, from version 4.4.0 before 4.4.12, and from version 5.0.0 before 5.0.1 allowed unexpected DNS lookups and requests to arbitrary services as it incorrectly obtained application base url information from the executing http request which could be attacker controlled.

Action-Not Available
Vendor-Atlassian
Product-atlassian-gadgetsjira_serverjira_data_centerdata_centerAtlassian Gadgets
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2024-37171
Matching Score-4
Assigner-SAP SE
ShareView Details
Matching Score-4
Assigner-SAP SE
CVSS Score-5||MEDIUM
EPSS-0.35% / 27.29%
||
7 Day CHG~0.00%
Published-09 Jul, 2024 | 04:21
Updated-09 Sep, 2024 | 15:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
[CVE-2024-37171] Server-Side Request Forgery (SSRF) in SAP Transportation Management (Collaboration Portal)

SAP Transportation Management (Collaboration Portal) allows an attacker with non-administrative privileges to send a crafted request from a vulnerable web application. This will trigger the application handler to send a request to an unintended service, which may reveal information about that service. The information obtained could be used to target internal systems behind firewalls that are normally inaccessible to an attacker from the external network, resulting in a Server-Side Request Forgery vulnerability. There is no effect on integrity or availability of the application.

Action-Not Available
Vendor-SAP SE
Product-saptmuitransportation_managementSAP Transportation Management (Collaboration Portal)
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2020-12644
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5||MEDIUM
EPSS-0.69% / 48.08%
||
7 Day CHG~0.00%
Published-31 Aug, 2020 | 14:25
Updated-04 Aug, 2024 | 12:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

OX App Suite 7.10.3 and earlier allows SSRF, related to the mail account API and the /folder/list API.

Action-Not Available
Vendor-n/aOpen-Xchange AG
Product-open-xchange_appsuiten/a
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2024-39699
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5||MEDIUM
EPSS-0.43% / 34.92%
||
7 Day CHG~0.00%
Published-08 Jul, 2024 | 15:32
Updated-02 Aug, 2024 | 04:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Directus has a Blind SSRF On File Import

Directus is a real-time API and App dashboard for managing SQL database content. There was already a reported SSRF vulnerability via file import. It was fixed by resolving all DNS names and checking if the requested IP is an internal IP address. However it is possible to bypass this security measure and execute a SSRF using redirects. Directus allows redirects when importing file from the URL and does not check the result URL. Thus, it is possible to execute a request to an internal IP, for example to 127.0.0.1. However, it is blind SSRF, because Directus also uses response interception technique to get the information about the connect from the socket directly and it does not show a response if the IP address is internal. This vulnerability is fixed in 10.9.3.

Action-Not Available
Vendor-monospacedirectusmonospace
Product-directusdirectusdirectus
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2026-35527
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.27% / 18.91%
||
7 Day CHG~0.00%
Published-05 May, 2026 | 19:56
Updated-07 May, 2026 | 17:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Incus blind SSRF via image import preflight HEAD request

Incus is an open source container and virtual machine manager. In versions prior to 7.0.0, the image import flow issues an outbound HEAD request to a user-supplied URL before validating the request against project restrictions such as restricted.images.servers. The imgPostURLInfo function constructs and sends a HEAD request directly from the attacker-supplied source URL to resolve image metadata, and this network interaction occurs before the flow reaches the point where the import would be rejected by policy. Although the actual image download is blocked by the project restriction, an authenticated user can coerce the daemon into making blind HEAD requests to arbitrary destinations. These requests include server metadata in custom headers (Incus-Server-Architectures, Incus-Server-Version), which discloses information about the host environment to the attacker-controlled endpoint. This blind SSRF primitive can be used to probe internal services, unroutable address space, or cloud metadata endpoints reachable from the host. This vulnerability pattern is similar to CVE-2026-24767. This issue has been fixed in version 7.0.0.

Action-Not Available
Vendor-linuxcontainerslxc
Product-incusincus
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2018-20497
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5||MEDIUM
EPSS-0.66% / 46.96%
||
7 Day CHG~0.00%
Published-30 Dec, 2019 | 21:24
Updated-05 Aug, 2024 | 12:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in GitLab Community and Enterprise Edition before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It allows SSRF.

Action-Not Available
Vendor-n/aGitLab Inc.
Product-gitlabn/a
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2023-26492
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5||MEDIUM
EPSS-0.96% / 57.17%
||
7 Day CHG~0.00%
Published-03 Mar, 2023 | 21:49
Updated-25 Feb, 2025 | 15:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Directus vulnerable to Server-Side Request Forgery On File Import

Directus is a real-time API and App dashboard for managing SQL database content. Directus is vulnerable to Server-Side Request Forgery (SSRF) when importing a file from a remote web server (POST to `/files/import`). An attacker can bypass the security controls by performing a DNS rebinding attack and view sensitive data from internal servers or perform a local port scan. An attacker can exploit this vulnerability to access highly sensitive internal server(s) and steal sensitive information. This issue was fixed in version 9.23.0.

Action-Not Available
Vendor-monospacedirectus
Product-directusdirectus
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2023-26431
Matching Score-4
Assigner-Open-Xchange
ShareView Details
Matching Score-4
Assigner-Open-Xchange
CVSS Score-5||MEDIUM
EPSS-0.84% / 53.35%
||
7 Day CHG~0.00%
Published-20 Jun, 2023 | 07:51
Updated-02 Aug, 2024 | 11:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IPv4-mapped IPv6 addresses did not get recognized as "local" by the code and a connection attempt is made. Attackers with access to user accounts could use this to bypass existing deny-list functionality and trigger requests to restricted network infrastructure to gain insight about topology and running services. We now respect possible IPV4-mapped IPv6 addresses when checking if contained in a deny-list. No publicly available exploits are known.

Action-Not Available
Vendor-Open-Xchange AG
Product-open-xchange_appsuite_backendOX App Suite
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2023-23943
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5||MEDIUM
EPSS-0.92% / 55.87%
||
7 Day CHG~0.00%
Published-06 Feb, 2023 | 20:18
Updated-10 Mar, 2025 | 21:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Blind SSRF via server URL input in the Nextcloud Mail app

Nextcloud mail is an email app for the nextcloud home server platform. In affected versions the SMTP, IMAP and Sieve host fields allowed to scan for internal services and servers reachable from within the local network of the Nextcloud Server. It is recommended that the Nextcloud Maill app is upgraded to 1.15.0 or 2.2.2. The only known workaround for this issue is to completely disable the nextcloud mail app.

Action-Not Available
Vendor-Nextcloud GmbH
Product-mailsecurity-advisories
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2024-3448
Matching Score-4
Assigner-Switzerland National Cyber Security Centre (NCSC)
ShareView Details
Matching Score-4
Assigner-Switzerland National Cyber Security Centre (NCSC)
CVSS Score-5||MEDIUM
EPSS-0.44% / 35.28%
||
7 Day CHG~0.00%
Published-10 Apr, 2024 | 13:59
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper Access Control Leads to Server-Side Request Forgery in Mautic

Users with low privileges can perform certain AJAX actions. In this vulnerability instance, improper access to ajax?action=plugin:focus:checkIframeAvailability leads to a Server-Side Request Forgery by analyzing the error messages returned from the back-end. Allowing an attacker to perform a port scan in the back-end. At the time of publication of the CVE no patch is available.

Action-Not Available
Vendor-Mauticmautic
Product-Mauticmautic
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2025-8341
Matching Score-4
Assigner-Grafana Labs
ShareView Details
Matching Score-4
Assigner-Grafana Labs
CVSS Score-5||MEDIUM
EPSS-0.28% / 20.07%
||
7 Day CHG~0.00%
Published-04 Aug, 2025 | 08:34
Updated-04 Aug, 2025 | 16:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SSRF in Infinity Datasource Plugin

Grafana is an open-source platform for monitoring and observability. The Infinity datasource plugin, maintained by Grafana Labs, allows visualizing data from JSON, CSV, XML, GraphQL, and HTML endpoints. If the plugin was configured to allow only certain URLs, an attacker could bypass this restriction using a specially crafted URL. This vulnerability is fixed in version 3.4.1.

Action-Not Available
Vendor-Grafana Labs
Product-grafana-infinity-datasource
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2025-66407
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5||MEDIUM
EPSS-0.18% / 8.02%
||
7 Day CHG~0.00%
Published-15 Dec, 2025 | 23:36
Updated-12 Jan, 2026 | 17:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Weblate has Server-Side Request Forgery vulnerability

Weblate is a web based localization tool. The Create Component functionality in Weblate allows authorized users to add new translation components by specifying both a version control system and a source code repository URL to pull from. However, prior to version 5.15, the repository URL field is not validated or sanitized, allowing an attacker to supply arbitrary protocols, hostnames, and IP addresses, including localhost, internal network addresses, and local filenames. When the Mercurial version control system is selected, Weblate exposes the full server-side HTTP response for the provided URL. This effectively creates a server-side request forgery (SSRF) primitive that can probe internal services and return their contents. In addition to accessing internal HTTP endpoints, the behavior also enables local file enumeration by attempting file:// requests. While file contents may not always be returned, the application’s error messages clearly differentiate between files that exist and files that do not, revealing information about the server’s filesystem layout. In cloud environments, this behavior is particularly dangerous, as internal-only endpoints such as cloud metadata services may be accessible, potentially leading to credential disclosure and full environment compromise. This has been addressed in the Weblate 5.15 release. As a workaround, remove Mercurial from `VCS_BACKENDS`; the Git backend is not affected. The Git backend was already configured to block the file protocol and does not expose the HTTP response content in the error message.

Action-Not Available
Vendor-weblateWeblateOrg
Product-weblateweblate
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2024-34689
Matching Score-4
Assigner-SAP SE
ShareView Details
Matching Score-4
Assigner-SAP SE
CVSS Score-5||MEDIUM
EPSS-0.35% / 27.29%
||
7 Day CHG~0.00%
Published-09 Jul, 2024 | 04:18
Updated-09 Sep, 2024 | 15:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
[CVE-2024-34689] Server-Side Request Forgery in SAP Business Workflow (WebFlow Services)

WebFlow Services of SAP Business Workflow allows an authenticated attacker to enumerate accessible HTTP endpoints in the internal network by specially crafting HTTP requests. On successful exploitation this can result in information disclosure. It has no impact on integrity and availability of the application.

Action-Not Available
Vendor-SAP SE
Product-sap_basisbusiness_workflowSAP Business Workflow (WebFlow Services)sap_business_workflow_\(webflow_services\)
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2026-41654
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.37% / 29.12%
||
7 Day CHG~0.00%
Published-07 May, 2026 | 13:40
Updated-11 May, 2026 | 15:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Weblate is Vulnerable to Authenticated SSRF via Project Backup Import bypassing validate_repo_url

Weblate is a web based localization tool. Prior to version 5.17.1, an authenticated user with project.add permission (default on hosted Weblate SaaS and for any user holding an active billing/trial plan) can import a crafted project backup ZIP whose components/<name>.json contains an attacker-chosen repo URL pointing at a private address (e.g. http://127.0.0.1:9999/) or using a non-allow-listed scheme (e.g. file://, git://). Weblate persists the component via Component.objects.bulk_create([component])[0], which bypasses Django's full_clean() and therefore never runs the validate_repo_url validator. The URL is subsequently written verbatim into .git/config by configure_repo(pull=False). This issue has been patched in version 5.17.1.

Action-Not Available
Vendor-weblateWeblateOrg
Product-weblateweblate
CWE ID-CWE-20
Improper Input Validation
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2024-33590
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5||MEDIUM
EPSS-0.35% / 27.31%
||
7 Day CHG~0.00%
Published-29 Apr, 2024 | 10:14
Updated-28 Apr, 2026 | 16:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress basepress plugin <= 2.16.1 - Server Side Request Forgery (SSRF) vulnerability

Server-Side Request Forgery (SSRF) vulnerability in codeSavory Knowledge Base documentation & wiki plugin – BasePress.This issue affects Knowledge Base documentation & wiki plugin – BasePress: from n/a through 2.16.1.

Action-Not Available
Vendor-codeSavory
Product-Knowledge Base documentation & wiki plugin – BasePress
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2026-35516
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5||MEDIUM
EPSS-0.27% / 19.22%
||
7 Day CHG~0.00%
Published-07 Apr, 2026 | 15:14
Updated-14 Apr, 2026 | 20:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
LinkAce has SSRF via CheckLinksCommand - Link URL Update Bypasses laravel-html-meta Protection

LinkAce is a self-hosted archive to collect website links. Prior to 2.5.4, LinkRepository::update and CheckLinksCommand::checkLink do not check for private IPs. An authenticated user can read responses from internal services (AWS IMDSv1, cloud metadata, internal APIs) by creating a link with a public URL and then updating it to a private IP. The links:check cron job makes the request server-side without IP filtering. This can expose cloud credentials, internal service data, and network topology. This vulnerability is fixed in 2.5.4.

Action-Not Available
Vendor-linkaceKovah
Product-linkaceLinkAce
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2026-3216
Matching Score-4
Assigner-Drupal.org
ShareView Details
Matching Score-4
Assigner-Drupal.org
CVSS Score-5||MEDIUM
EPSS-0.29% / 20.48%
||
7 Day CHG~0.00%
Published-25 Mar, 2026 | 15:24
Updated-31 Mar, 2026 | 19:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Drupal Canvas - Moderately critical - Server-side request forgery, Information disclosure - SA-CONTRIB-2026-017

Server-Side Request Forgery (SSRF) vulnerability in Drupal Drupal Canvas allows Server Side Request Forgery.This issue affects Drupal Canvas: from 0.0.0 before 1.1.1.

Action-Not Available
Vendor-drupal_canvas_projectThe Drupal Association
Product-drupal_canvasDrupal Canvas
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2022-23080
Matching Score-4
Assigner-Mend
ShareView Details
Matching Score-4
Assigner-Mend
CVSS Score-5||MEDIUM
EPSS-0.78% / 51.58%
||
7 Day CHG~0.00%
Published-22 Jun, 2022 | 15:40
Updated-17 Sep, 2024 | 02:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
directus - SSRF which leads to internal port scan

In directus versions v9.0.0-beta.2 through 9.6.0 are vulnerable to server-side request forgery (SSRF) in the media upload functionality which allows a low privileged user to perform internal network port scans.

Action-Not Available
Vendor-rangerstudiodirectus
Product-directusdirectus
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2025-52567
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-3.5||LOW
EPSS-0.18% / 7.71%
||
7 Day CHG+0.01%
Published-30 Jul, 2025 | 14:07
Updated-04 Aug, 2025 | 18:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
GLPI has overly permissive URL verification

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. In versions 0.84 through 10.0.18, usage of RSS feeds or external calendars when planning is subject to SSRF exploit. The previous security patches provided since GLPI 10.0.4 were not robust enough for certain specific cases. This is fixed in version 10.0.19.

Action-Not Available
Vendor-GLPI Project
Product-glpiglpi
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2025-4655
Matching Score-4
Assigner-Liferay, Inc.
ShareView Details
Matching Score-4
Assigner-Liferay, Inc.
CVSS Score-5.1||MEDIUM
EPSS-0.20% / 10.12%
||
7 Day CHG~0.00%
Published-09 Aug, 2025 | 04:46
Updated-19 Dec, 2025 | 18:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SSRF vulnerability in FreeMarker templates in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.5, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.15, 7.4 GA through update 92 allows template editors to bypass access validations via crafted URLs.

Action-Not Available
Vendor-Liferay Inc.
Product-digital_experience_platformliferay_portalPortalDXP
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2023-5122
Matching Score-4
Assigner-Grafana Labs
ShareView Details
Matching Score-4
Assigner-Grafana Labs
CVSS Score-5||MEDIUM
EPSS-0.51% / 39.63%
||
7 Day CHG~0.00%
Published-14 Feb, 2024 | 15:06
Updated-13 Feb, 2025 | 18:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SSRF in CSV Datasource Plugin

Grafana is an open-source platform for monitoring and observability. The CSV datasource plugin is a Grafana Labs maintained plugin for Grafana that allows for retrieving and processing CSV data from a remote endpoint configured by an administrator. If this plugin was configured to send requests to a bare host with no path (e.g. https://www.example.com/ https://www.example.com/` ), requests to an endpoint other than the one configured by the administrator could be triggered by a specially crafted request from any user, resulting in an SSRF vector. AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator

Action-Not Available
Vendor-Grafana Labs
Product-grafanagrafana-csv-datasource
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2023-48306
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5||MEDIUM
EPSS-0.80% / 52.01%
||
7 Day CHG~0.00%
Published-21 Nov, 2023 | 22:20
Updated-02 Aug, 2024 | 21:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Nextcloud Server DNS pin middleware can be tricked into DNS rebinding allowing SSRF

Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 25.0.0 and prior to versions 25.0.11, 26.0.6, and 27.1.0 of Nextcloud Server and starting in version 22.0.0 and prior to versions 22.2.10.16, 23.0.12.11, 24.0.12.7, 25.0.11, 26.0.6, and 27.1.0 of Nextcloud Enterprise Server, the DNS pin middleware was vulnerable to DNS rebinding allowing an attacker to perform SSRF as a final result. Nextcloud Server 25.0.11, 26.0.6, and 27.1.0 and Nextcloud Enterprise Server 22.2.10.16, 23.0.12.11, 24.0.12.7, 25.0.11, 26.0.6, and 27.1.0 contain patches for this issue. No known workarounds are available.

Action-Not Available
Vendor-Nextcloud GmbH
Product-nextcloud_serversecurity-advisories
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
  • Previous
  • 1
  • 2
  • Next
Details not found