CWE-918

Server-Side Request Forgery (SSRF)

Parent: CWE-441 - Unintended Proxy or Intermediary ('Confused Deputy')

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

2,697 vulnerabilities with CWE-918
CVE-2026-2531 MEDIUM
MindsDB < 25.14.1 - Server-Side Request Forgery via File Upload clear_filename Function
CVSS 6.3
CVE-2026-1249 MEDIUM
MP3 Audio Player by Sonaar 5.3-5.10 - Server-Side Request Forgery via load_lyrics_ajax_callback
CVSS 5.0
CVE-2026-0745 MEDIUM
User Language Switch <1.6.10 - SSRF
CVSS 5.5
CVE-2026-25991 HIGH
Tandoor Recipes < 2.5.1 - Authenticated Blind Server-Side Request Forgery via Cookmate Recipe Import
CVSS 7.7
CVE-2026-26005 MEDIUM
ClipBucket 5.3-5.5.3-45 - Server-Side Request Forgery via Remote Play Video URL
CVSS 5.0
CVE-2026-1356 MEDIUM
Converter for Media - Optimize images | Convert WebP & AVIF plugin ...
CVSS 4.8
CVE-2026-26019 MEDIUM
LangChain Community < 1.1.14 - Server-Side Request Forgery via RecursiveUrlLoader
CVSS 4.1
CVE-2026-25870 MEDIUM
DoraCMS < 3.1 - Server-Side Request Forgery via UEditor Remote Image Fetch
CVSS 5.8
CVE-2026-26013 LOW
langchain-core < 1.2.11 - Server-Side Request Forgery via ChatOpenAI Image URL
CVSS 3.7
CVE-2026-21512 MEDIUM
Azure DevOps Server < 2022.2.0 - Server-Side Request Forgery
CVSS 6.5
CVE-2026-25765 MEDIUM
Faraday 1.0.0-1.10.4 and 2.0.0-2.14.0 - Server-Side Request Forgery via Protocol-Relative URL
CVSS 5.8
CVE-2026-25528 MEDIUM
LangSmith SDK - Server-Side Request Forgery via Baggage Header Injection
CVSS 5.8
CVE-2026-25494 MEDIUM
Craft CMS saveAsset GraphQL - Alternative IP Server-Side Request Forgery
CVSS 6.5
CVE-2026-25493 MEDIUM
Craft CMS saveAsset GraphQL - Redirect-Based Server-Side Request Forgery
CVSS 6.5
CVE-2026-25492 MEDIUM
Craft CMS 3.5.0-4.16.17 & 5.0.0-RC1-5.8.21 - Server-Side Request Forgery via GraphQL
CVSS 6.5
CVE-2026-0632 MEDIUM
Fluent Forms Pro Add On Pack <6.1.12 - SSRF
CVSS 5.4
CVE-2026-25904 MEDIUM
mcp-run-python - Server-Side Request Forgery via Deno Sandbox Configuration
CVSS 5.8
CVE-2026-25123 MEDIUM
homarr < 1.52.0 - Unauthenticated Server-Side Request Forgery via tRPC Endpoint
CVSS 5.3
CVE-2026-25580 HIGH
Pydantic AI 0.0.26-1.56.0 - Server-Side Request Forgery via URL Download Functionality
CVSS 8.6
CVE-2026-1294 HIGH
All In One Image Viewer Block <1.0.2 - SSRF
CVSS 7.2
CVE-2026-1884 MEDIUM
zentao < 21.7.6 - Server-Side Request Forgery via Webhook Module fetchHook Function
CVSS 4.7
CVE-2026-25511 MEDIUM
Group-Office 6.8.0-6.8.149 - Authenticated Server-Side Request Forgery via WOPI Service Discovery URL
CVSS 4.9
CVE-2026-22247 MEDIUM
GLPI 11.0.0-11.0.4 - Authenticated Server-Side Request Forgery via Webhook Feature
CVSS 4.1
CVE-2026-24961 MEDIUM
ThemeGoods Grand Blog < 3.1.5 - SSRF
CVSS 5.4
CVE-2026-1518 LOW
Keycloak - Server-Side Request Forgery via CIBA Backchannel Notification Endpoint
CVSS 2.7
Details
Vulnerabilities 2,697
Links
MITRE CWE Entry Search this CWE With Exploits