Search Blog Stats Labs

Tools EIP CLI Search Tool EIP MCP Server EIP REST API API Rate Limits

About

About Exploit Intel About Exploit Forge Privacy Policy

RSS Feeds

Blog Posts Recent CVEs CVEs with Exploits CISA KEV

Color Theme

Search Blog Statistics Labs Tools EIP CLI Search Tool EIP MCP Server EIP REST API API Rate Limits About About Exploit Forge Privacy

Exploit Database Researchers CWE Categories Vendors Ecosystems

RSS Feeds

Blog Posts Recent CVEs CVEs with Exploits CISA KEV

Follow:

Theme:

Home / CWE / CWE-918

CWE-918

Server-Side Request Forgery (SSRF)

Parent: CWE-441 - Unintended Proxy or Intermediary ('Confused Deputy')

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

2,437 vulnerabilities with CWE-918

CVE-2026-6979 MEDIUM

devlikeapro WAHA API Request media.controller.ts server-side request forgery

CVE-2026-41488 LOW

angchain-openai: Image token counting SSRF protection can be bypassed via DNS rebinding

CVE-2026-41481 MEDIUM

LangChain: HTMLHeaderTextSplitter.split_text_from_url SSRF Redirect Bypass

CVE-2026-42043 HIGH

Axios <1.15.1, <0.31.1 - Auth Bypass

CVE-2026-42038 MEDIUM

Axios <1.15.1, <0.31.1 - Proxy Bypass

CVE-2026-41321 LOW

@astrojs/cloudflare: SSRF via redirect following in Cloudflare image-binding-transform endpoint

CVE-2026-41323 HIGH

Kyverno: ServiceAccount token leaked to external servers via apiCall service URL

CVE-2026-31955 MEDIUM

Xibo CMS has Authenticated Server-Side Request Forgery (SSRF) in Remote DataSet Functionality

CVE-2026-41361 HIGH

OpenClaw < 2026.3.28 - SSRF Guard Bypass via IPv6 Special-Use Ranges

CVE-2026-35431 CRITICAL

Microsoft Entra ID Entitlement Management Spoofing Vulnerability

CVE-2026-32210 CRITICAL

Microsoft Dynamics 365 (online) Spoofing Vulnerability

CVE-2026-26150 HIGH

Microsoft Purview eDiscovery Elevation of Privilege Vulnerability

CVE-2026-41272 HIGH

Flowise: SSRF Protection Bypass (TOCTOU & Default Insecure)

CVE-2026-41271 HIGH

Flowise: APIChain Prompt Injection SSRF in GET/POST API Chains

CVE-2026-41270 HIGH

Flowise: SSRF Protection Bypass via Unprotected Built-in HTTP Modules in Custom Function Sandbox

CVE-2026-41461 HIGH

SocialEngine <= 7.8.0 Blind SSRF via /core/link/preview

CVE-2026-41455 HIGH

WeKan < 8.35 SSRF via Webhook URL

CVE-2026-41177 MEDIUM

Squidex has Blind SSRF via file:// Protocol in Restore API leading to Local File Interaction

CVE-2026-41172 HIGH

Squidex vulnerable to Server-Side Request Forgery (SSRF) via URL-based asset upload (/api/apps/{app}/assets)

CVE-2026-41171 HIGH

SSRF via Jint Scripting Engine HTTP Functions Due to Missing SSRF Protection on "Jint" HttpClient

CVE-2026-41170 HIGH

Squidex has SSRF via Backup Restore Endpoint — Admin-Controlled URL Download Allows Internal and External Requests

CVE-2026-35548 HIGH

guardsix ODBC Enrichment Plugins <5.2.1 - Auth Bypass

CVE-2026-41130 MEDIUM

Craft CMS has a host header injection leading to SSRF via resource-js endpoint

CVE-2026-41129 MEDIUM

Craft CMS has Server-Side Request Forgery (SSRF) with Asset Uploads Mutations

CVE-2026-5921 HIGH

Server-Side Request Forgery in GitHub Enterprise Server allowed extraction of sensitive environment variables via timing side-channel attack

Previous Page 2 of 98 Next

Details

Vulnerabilities 2,437

Links

MITRE CWE Entry Search this CWE With Exploits

Exploit Intelligence Platform

Blog Stats Labs Exploits Researchers CWE Ecosystems CLI MCP API Limits About Privacy