CWE-918

Server-Side Request Forgery (SSRF)

Parent: CWE-441 - Unintended Proxy or Intermediary ('Confused Deputy')

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

2,683 vulnerabilities with CWE-918
CVE-2026-28508 HIGH
idno/known < 1.6.4 - Unauthenticated Server-Side Request Forgery via URL Unfurl Endpoint
CVSS 8.6
CVE-2026-28476 HIGH
OpenClaw < 2026.2.14 - Server-Side Request Forgery via Tlon Urbit Extension Authentication
CVSS 8.3
CVE-2026-28467 MEDIUM
OpenClaw < 2026.2.2 - Server-Side Request Forgery via Attachment and Media URL Hydration
CVSS 6.5
CVE-2026-28451 HIGH
OpenClaw < 2026.2.14 - Server-Side Request Forgery via Feishu Extension Media Fetching
CVSS 8.3
CVE-2026-27023 MEDIUM
twenty < 1.18.0 - Authenticated Server-Side Request Forgery via Redirect Bypass
CVSS 5.0
CVE-2026-28036 MEDIUM
SkatDesign Ratatouille <= 1.2.6 - Server-Side Request Forgery
CVSS 6.4
CVE-2026-3125 MEDIUM
@opennextjs/cloudflare < 1.17.1 - Server-Side Request Forgery via Path Normalization Bypass
CVSS 6.5
CVE-2026-1273 HIGH
PostX WordPress Plugin <=5.0.8 - Administrator Server-Side Request Forgery
CVSS 7.2
CVE-2026-27600 MEDIUM
HomeBox < 0.23.1 - Authenticated Server-Side Request Forgery via Notifier URL Parameter
CVSS 5.0
CVE-2026-28423 MEDIUM
Statamic CMS < 5.73.11 and 6.4.0 - Glide Image Proxy Server-Side Request Forgery
CVSS 6.8
CVE-2026-27759 MEDIUM
featured-image-from-content <1.7 - SSRF
CVE-2026-28416 HIGH
Gradio < 6.6.0 - Server-Side Request Forgery via Malicious Space Proxy URL
CVSS 8.2
CVE-2026-28271 MEDIUM
Kiteworks <9.2.0 - SSRF via DNS Rebinding
CVSS 6.5
CVE-2026-2252 HIGH
Xerox FreeFlow Core <=8.0.7 - XXE/SSRF
CVSS 7.5
CVE-2026-3286 MEDIUM
itwanger paicoding 1.0.0-1.0.3 - SSRF
CVSS 6.3
CVE-2026-3270 MEDIUM
psi-probe < 5.3.0 - Server-Side Request Forgery via Whois Function
CVSS 6.3
CVE-2026-28295 MEDIUM
GVfs FTP Backend - Malicious FTP Server Port Scanning
CVSS 4.3
CVE-2026-27945 MEDIUM
ZITADEL 2.59.0-4.11.0 - Server-Side Request Forgery via Action V2 Target URL
CVSS 6.5
CVE-2026-27829 MEDIUM
Astro 9.0.0 to 9.5.3 - inferSize Image Pipeline Server-Side Request Forgery
CVSS 6.5
CVE-2026-27818 HIGH
TerriaJS-Server < 4.0.3 - Server-Side Request Forgery via Proxy Domain Validation Bypass
CVSS 7.5
CVE-2026-27808 MEDIUM
Mailpit < 1.29.2 - Unauthenticated Server-Side Request Forgery via Link Check API
CVSS 5.8
CVE-2026-24005 NONE
Kruise 1.7.0-1.7.4 and 1.8.0-1.8.2 - Server-Side Request Forgery via PodProbeMarker Host Field
CVE-2026-27795 MEDIUM
langchainjs < 1.1.8 - Server-Side Request Forgery via RecursiveUrlLoader Redirect Bypass
CVSS 4.1
CVE-2026-27739 CRITICAL
Angular CLI <21.2.0-rc.1, 21.0.0-21.1.4, 20.0.0-20.3.16, <19.2.21 - SSRF via Unvalidated Headers
CVE-2026-3189 LOW
feiyuchuixue sz-boot-parent <=1.3.2-beta - SSRF
CVSS 3.1
Details
Vulnerabilities 2,683
Links
MITRE CWE Entry Search this CWE With Exploits