CWE-918

Server-Side Request Forgery (SSRF)

Parent: CWE-441 - Unintended Proxy or Intermediary ('Confused Deputy')

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

2,683 vulnerabilities with CWE-918
CVE-2026-4200 HIGH
glowxq glowxq-oj ProblemCaseController.java uploadTestcaseZipUrl server-side request forgery
CVSS 7.3
CVE-2026-32412 MEDIUM
Gift Up Gift Cards for WordPress and WooCommerce <=3.1.7 - SSRF
CVSS 5.4
CVE-2026-32357 MEDIUM
Simple Blog Card <= 2.37 - Server-Side Request Forgery
CVSS 6.4
CVE-2026-32353 MEDIUM
MailerPress <= 1.4.2 - Server-Side Request Forgery
CVSS 6.4
CVE-2026-32349 MEDIUM
Embed PDF Viewer <= 2.4.7 - Server-Side Request Forgery
CVSS 4.9
CVE-2026-32301 CRITICAL
Centrifugo < 6.7.0 - Server-Side Request Forgery via Dynamic JWKS URL
CVSS 9.3
CVE-2026-32236 HIGH
Backstage plugin-auth-backend < 0.27.1 - Server-Side Request Forgery via Client Metadata Redirect
CVSS 7.5
CVE-2026-21887 HIGH
OpenCTI < 6.8.16 - Server-Side Request Forgery via Data Ingestion URL
CVSS 7.7
CVE-2026-3966 MEDIUM
wvp-GB28181-pro <= 2.7.4-20260107 - Server-Side Request Forgery via MediaServer.streamIp
CVSS 6.3
CVE-2026-3961 MEDIUM
zyddnys manga-image-translator <=beta-0.3 - SSRF
CVSS 6.3
CVE-2026-3958 MEDIUM
ListSync <= 0.6.6 - Server-Side Request Forgery via JSON Handler
CVSS 6.3
CVE-2026-32133 CRITICAL
2fauth < 6.1.0 - Authenticated Server-Side Request Forgery via OTP URL Image Parameter
CVSS 9.1
CVE-2026-32111 MEDIUM
Home Assistant MCP Server < 7.0.0 - OAuth ha_url Server-Side Request Forgery
CVSS 5.3
CVE-2026-32110 HIGH
SiYuan < 3.6.0 - Authenticated Server-Side Request Forgery via forwardProxy
CVSS 8.3
CVE-2026-32096 CRITICAL
Plunk < 0.7.0 - Unauthenticated Server-Side Request Forgery via SNS Webhook
CVSS 9.3
CVE-2026-31974 LOW
OpenProject < 17.2.0 - Server-Side Request Forgery via SMTP Test and Webhooks
CVSS 3.0
CVE-2026-31959 MEDIUM
Quill < 0.7.1 - Server-Side Request Forgery via Notarization Log URL
CVSS 5.3
CVE-2026-31878 MEDIUM
Frappe < 14.100.1, < 15.100.0, < 16.6.0 - Server-Side Request Forgery
CVSS 5.0
CVE-2026-21294 MEDIUM
Adobe Commerce <=2.4.9-alpha3 - SSRF
CVSS 5.5
CVE-2026-21293 MEDIUM
Adobe Commerce <=2.4.9-alpha3 - SSRF
CVSS 5.5
CVE-2026-31829 HIGH
Flowise < 3.0.13 - Server-Side Request Forgery via HTTP Node
CVSS 7.1
CVE-2026-30953 HIGH
LinkAce 2.0 - Link Metadata Server-Side Request Forgery
CVSS 7.7
CVE-2026-27826 HIGH
MCP Atlassian < 0.17.0 - Unauthenticated Server-Side Request Forgery via HTTP Middleware
CVSS 8.2
CVE-2026-26801 HIGH
pdfmake 0.3.0-beta.2-0.3.5 - Server-Side Request Forgery via URLResolver
CVSS 7.5
CVE-2026-26121 HIGH
Azure IoT Explorer < 0.15.14 - Unauthenticated Server-Side Request Forgery
CVSS 7.5
Details
Vulnerabilities 2,683
Links
MITRE CWE Entry Search this CWE With Exploits