CWE-918

Server-Side Request Forgery (SSRF)

Parent: CWE-441 - Unintended Proxy or Intermediary ('Confused Deputy')

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

2,678 vulnerabilities with CWE-918
CVE-2026-10287 HIGH
SourceCodester SEO Meta Tag Extractor 1.0 - Server-Side Request Forgery via get_headers Function
CVSS 7.3
CVE-2026-10280 HIGH
horizon921 mcpilot 0.1.0 - Server-Side Request Forgery via serverBaseUrl Argument
CVSS 7.3
CVE-2026-10276 MEDIUM
hekmon8 Jenkins-server-mcp 0.1.0 - Server-Side Request Forgery via jobPath Function
CVSS 6.3
CVE-2026-10274 MEDIUM
indrasishbanerjee aem-mcp-server Axios Request Flow mcp-server.ts getAssetMetadata server-side request forgery
CVSS 6.3
CVE-2026-49328 MEDIUM
Apache Fesod (Incubating): Improper validation of user-supplied URLs leading to SSRF
CVSS 5.3
CVE-2026-10517 MEDIUM
Clair: clair: unauthenticated ssrf via manifest layer uri enables internal network reconnaissance
CVSS 5.8
CVE-2026-10241 MEDIUM
jeecgboot The server processes these URLs Cloud Instance Metadata Endpoint debug FileDownloadUtils.download2DiskFromNet server-side request forgery
CVSS 6.3
CVE-2026-10240 MEDIUM
JeecgBoot test server-side request forgery
CVSS 6.3
CVE-2026-10239 MEDIUM
JeecgBoot edit WordUtil.addImage server-side request forgery
CVSS 6.3
CVE-2026-10177 MEDIUM
Aider-AI Aider AWS EC2 Metadata Endpoint api_docs.py requests.get server-side request forgery
CVSS 6.3
CVE-2026-48555 HIGH
Spatie Laravel Media Library < 11.23.0 SSRF via addMediaFromUrl()
CVSS 7.4
CVE-2026-44285 HIGH
FastGPT: SSRF Protection Bypass via `externalFile` in Dataset Preview API
CVSS 7.7
CVE-2026-49372 HIGH
JetBrains TeamCity - Unauthenticated Server-Side Request Forgery via Build Status
CVSS 7.5
CVE-2026-46372 HIGH
SillyTavern: SSRF in SearXNG Search Proxy via Unvalidated baseUrl
CVSS 8.5
CVE-2026-44652 MEDIUM
SillyTavern CORS Proxy - Server-Side Request Forgery
CVE-2026-45660 MEDIUM
Statamic: Server-Side Request Forgery via Glide
CVSS 5.4
CVE-2026-10107 HIGH
MoviePilot v2 SSRF via /api/v1/system/img/{proxy} Endpoint
CVSS 7.7
CVE-2026-10068 HIGH
Shibby Tomato SUBSCRIBE Call miniupnpd send server-side request forgery
CVSS 7.3
CVE-2026-45609 HIGH
mcp-security: Unvalidated URL Fetching (SSRF)
CVSS 7.2
CVE-2026-45619 MEDIUM
AVideo <= 29.0 - DNS Rebinding SSRF
CVSS 6.5
CVE-2026-9557 MEDIUM
Mautic Focus - Authenticated Server-Side Request Forgery via URL Parameter
CVSS 6.4
CVE-2026-42965 HIGH
Openshift/router: openshift/router: cloud metadata ssrf via fqdn-typed endpointslice bypasses destination validation
CVSS 7.7
CVE-2026-10052 MEDIUM
Quay/config-tool: quay/config-tool: ssrf via unfiltered ldap and smtp config validation endpoints
CVSS 4.1
CVE-2026-45366 MEDIUM
typescript-utcp: SSRF via attacker-controlled OpenAPI servers[0].url in HTTP communication protocol
CVSS 4.7
CVE-2026-49093 MEDIUM
Server-Side Request Forgery (SSRF) in Kibana Leading to Unauthorized Network Access
CVSS 6.3
Details
Vulnerabilities 2,678
Links
MITRE CWE Entry Search this CWE With Exploits