CWE-918

Server-Side Request Forgery (SSRF)

Parent: CWE-441 - Unintended Proxy or Intermediary ('Confused Deputy')

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

2,698 vulnerabilities with CWE-918
CVE-2026-0600 MEDIUM
Sonatype Nexus Repository <3.88.0 - SSRF
CVE-2026-0532 HIGH
Kibana 8.15.0-8.19.8, 9.0.0-9.1.8, 9.2.0-9.2.2 - Authenticated Arbitrary File Read and SSRF via Google Gemini Connector
CVSS 8.6
CVE-2026-20958 MEDIUM
Microsoft SharePoint Server - Server-Side Request Forgery
CVSS 5.4
CVE-2026-22805 HIGH
Metabase <55.13, 56.3, 57.1 - Info Disclosure
CVSS 8.6
CVE-2026-22772 MEDIUM
Fulcio < 1.8.5 - Server-Side Request Forgery via MetaIssuer URL Validation Bypass
CVSS 5.8
CVE-2026-22597 LOW
Ghost 5.38.0-5.130.5 and 6.0.0-6.10.3 - Authenticated Server-Side Request Forgery via Media Inliner
CVSS 2.7
CVE-2026-22245 HIGH
Mastodon < 4.2.29 - Server-Side Request Forgery via IP Address Range Bypass
CVSS 7.5
CVE-2026-21885 MEDIUM
Miniflux 2.0.0-2.2.15 - Authenticated Server-Side Request Forgery via Media Proxy Endpoint
CVSS 6.5
CVE-2026-21859 MEDIUM
Mailpit < 1.28.1 - Server-Side Request Forgery via Proxy Endpoint
CVSS 5.8
CVE-2026-0649 MEDIUM
invoiceninja <= 5.12.38 - Server-Side Request Forgery via Company Logo Import
CVSS 4.7
CVE-2026-21433 HIGH
emlog <= 2.5.19 - Server-Side Request Forgery via SVG File Upload
CVSS 7.7
CVE-2025-58175 MEDIUM
GeoServer < 2.26.4 and 2.27.0-2.27.2 - Server-Side Request Forgery
CVSS 6.5
CVE-2025-60175 MEDIUM
WordPress PopAd Plugin <= 1.0.4 - Server Side Request Forgery (SSRF) Vulnerability
CVSS 4.4
CVE-2025-14290 MEDIUM
IBM webMethods Integration Sever is vulnerable to server-side request forgery
CVSS 5.4
CVE-2025-59809 MEDIUM
FortiSOAR 7.3.0-7.6.4 - Authenticated Server-Side Request Forgery
CVSS 4.3
CVE-2025-62718 CRITICAL
Axios <1.15.0 and <0.31.0 NO_PROXY - Server-Side Request Forgery
CVSS 9.9
CVE-2025-50228 CRITICAL
JizhiCMS 2.5.4 - Server-Side Request Forgery
CVSS 9.1
CVE-2025-15611 MEDIUM
Popup Box AYS Pro <5.5.0 - Admin Cross-Site Scripting via CSRF
CVSS 5.4
CVE-2025-12886 HIGH
Oxygen <= 6.0.8 - Unauthenticated Server-Side Request Forgery via route_path
CVSS 7.2
CVE-2025-14912 MEDIUM
IBM InfoSphere Information Server is vulnerable to server-side request forgery
CVSS 5.4
CVE-2025-71259 MEDIUM
BMC FootPrints ITSM 20.20.02 <= 20.24.01.001 Blind SSRF in externalfeed/RSS
CVSS 4.3
CVE-2025-71258 MEDIUM
BMC FootPrints ITSM 20.20.02 <= 20.24.01.001 Blind SSRF in searchWeb
CVSS 4.3
CVE-2025-69239 LOW
Server-Site Request Forgery in Raytha CMS
CVSS 2.7
CVE-2025-70027 HIGH
Sunbird-Ed SunbirdEd-portal 1.13.4 - SSRF
CVSS 7.5
CVE-2025-70042 CRITICAL
ThermaKube - Server-Side Request Forgery
CVSS 9.8
Details
Vulnerabilities 2,698
Links
MITRE CWE Entry Search this CWE With Exploits