CWE-918

Server-Side Request Forgery (SSRF)

Parent: CWE-441 - Unintended Proxy or Intermediary ('Confused Deputy')

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

2,683 vulnerabilities with CWE-918
CVE-2026-27706 HIGH
Plane < 1.2.2 - Authenticated Server-Side Request Forgery via Add Link Feature
CVSS 7.7
CVE-2026-27730 HIGH
esm.sh <= 137 - DNS Alias Server-Side Request Forgery
CVSS 7.5
CVE-2026-2479 MEDIUM
Responsive Lightbox & Gallery <2.7.1 - SSRF
CVSS 5.0
CVE-2026-3163 MEDIUM
SourceCodester Website Link Extractor 1.0 - SSRF
CVSS 6.3
CVE-2026-27696 HIGH
changedetection.io < 0.54.1 - Server-Side Request Forgery via Watch URL Validation Bypass
CVSS 8.6
CVE-2026-27477 MEDIUM
Mastodon 4.4.0-4.4.13/4.5.0-4.5.6 - SSRF
CVSS 5.9
CVE-2026-26222 CRITICAL
Altec DocLink 4.0.336.0 - Deserialization
CVSS 9.8
CVE-2026-27732 HIGH
WWBN AVideo < 22.0 - Authenticated Server-Side Request Forgery via aVideoEncoder.json.php DownloadURL Parameter
CVSS 8.1
CVE-2026-27567 MEDIUM
Payload < 3.75.0 - Authenticated Server-Side Request Forgery via External File Upload
CVSS 6.5
CVE-2026-27129 MEDIUM
Craft CMS GraphQL Asset IPv6 - Server-Side Request Forgery
CVSS 6.5
CVE-2026-3052 MEDIUM
dinky < 1.2.5 - Server-Side Request Forgery via Flink Proxy Controller
CVSS 6.3
CVE-2026-25545 HIGH
@astrojs/node < 9.5.4 - Server-Side Request Forgery via Host Header Manipulation
CVSS 8.6
CVE-2026-3026 HIGH
JEEWMS < 3.7 - Server-Side Request Forgery via UEditor getRemoteImage.jsp
CVSS 7.3
CVE-2026-2985 MEDIUM
Tiandy Video Surveillance System 7.17.0 - SSRF
CVSS 6.3
CVE-2026-2945 MEDIUM
JeecgBoot 3.9.0 uploadImgByHttp - fileUrl Server-Side Request Forgery
CVSS 6.3
CVE-2026-27488 HIGH
OpenClaw < 2026.2.19 - Server-Side Request Forgery via Cron Webhook Delivery
CVSS 7.3
CVE-2026-27479 HIGH
wallos < 4.6.1 - Server-Side Request Forgery via Logo Upload Redirect Bypass
CVSS 7.7
CVE-2026-27170 HIGH
OpenSift < 1.1.3 - Server-Side Request Forgery via URL Ingest
CVSS 7.1
CVE-2026-26324 HIGH
OpenClaw < 2026.2.14 - Server-Side Request Forgery via IPv6 Literal Bypass
CVSS 7.5
CVE-2026-26322 HIGH
OpenClaw < 2026.2.14 - Server-Side Request Forgery via Gateway Tool URL Override
CVSS 7.6
CVE-2026-26286 HIGH
SillyTavern < 1.16.0 - Authenticated Server-Side Request Forgery via Asset Download Endpoint
CVSS 8.5
CVE-2026-27472 MEDIUM
SPIP 4.4.0-4.4.8 - Authenticated Blind Server-Side Request Forgery via Syndicated Sites
CVSS 4.3
CVE-2026-26339 CRITICAL
Hyland Alfresco Transformation Service - RCE
CVSS 9.8
CVE-2026-26338 CRITICAL
Hyland Alfresco Transformation Service - SSRF
CVSS 9.8
CVE-2026-2274 HIGH
AppSheet Web (Main Server) < 2025-11-23 - Authenticated Server-Side Request Forgery and Arbitrary File Read
Details
Vulnerabilities 2,683
Links
MITRE CWE Entry Search this CWE With Exploits