CWE-918

Server-Side Request Forgery (SSRF)

Parent: CWE-441 - Unintended Proxy or Intermediary ('Confused Deputy')

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

2,698 vulnerabilities with CWE-918
CVE-2025-64427 HIGH
ZimaOS < 1.5.0 - Authenticated Server-Side Request Forgery via Internal IP Address Targeting
CVSS 7.1
CVE-2025-50199 CRITICAL
Chamilo < 1.11.30 - Server-Side Request Forgery via openid_url Parameter
CVSS 9.1
CVE-2025-50180 HIGH
esm.sh 136 - Full-Response Server-Side Request Forgery
CVSS 7.5
CVE-2025-69299 HIGH
Laborator Oxygen <= 6.0.8 - Server-Side Request Forgery
CVSS 7.2
CVE-2025-8055 MEDIUM
OpenText XM Fax 24.2 - Server-Side Request Forgery
CVSS 5.3
CVE-2025-55853 CRITICAL
SoftVision webPDF < 10.0.2 - Server-Side Request Forgery via PDF Converter Function
CVSS 9.1
CVE-2025-12375 MEDIUM
Printful Integration for WooCommerce <=2.2.11 - SSRF
CVSS 6.4
CVE-2025-36243 MEDIUM
IBM Concert 1.0.0-2.1.0 - Authenticated Server-Side Request Forgery
CVSS 5.4
CVE-2025-32355 HIGH
Rocket TRUfusion Enterprise <7.10.4.0 - SSRF
CVSS 7.3
CVE-2025-12575 MEDIUM
GitLab 18.0-18.6.5, 18.7-18.7.3, 18.8-18.8.3 - Authenticated Server-Side Request Forgery
CVSS 5.4
CVE-2025-12073 MEDIUM
GitLab 18.0-18.6.5, 18.7-18.7.3, 18.8-18.8.3 - Authenticated Server-Side Request Forgery via Git Repository Import
CVSS 4.3
CVE-2025-11242 CRITICAL
Okulistik <= 21102025 - Server-Side Request Forgery
CVSS 9.8
CVE-2025-68458 LOW
webpack 5.49.0-5.104.1 - Server-Side Request Forgery via Crafted URL Userinfo Bypass
CVSS 3.7
CVE-2025-68157 LOW
webpack 5.49.0-5.103.0 - Server-Side Request Forgery via HTTP Redirect Bypass
CVSS 3.7
CVE-2025-62616 CRITICAL
AutoGPT <autogpt-platform-beta-v0.6.34 - SSRF
CVSS 9.8
CVE-2025-62615 CRITICAL
AutoGPT <autogpt-platform-beta-v0.6.34 - SSRF
CVSS 9.8
CVE-2025-46651 MEDIUM
Tiny File Manager < 2.6 - Server-Side Request Forgery via URL Upload Feature
CVSS 4.3
CVE-2025-13096 HIGH
IBM Business Automation Workflow < 24.0.0 - XML External Entity Injection
CVSS 7.1
CVE-2025-68662 HIGH
Discourse <3.5.4, <2025.11.2, <2025.12.1, <2026.1.0 - Auth Bypass
CVSS 7.6
CVE-2025-14610 HIGH
TableMaster for Elementor <1.3.6 - SSRF
CVSS 7.2
CVE-2025-9522 MEDIUM
TP-Link Omada Controllers - Webhook Server-Side Request Forgery
CVSS 5.3
CVE-2025-68030 HIGH
WP Messiah Frontis Blocks <2.1.6 - SSRF
CVSS 7.2
CVE-2025-67961 MEDIUM
WordPress WPO365 <= 40.0 - Server-Side Request Forgery
CVSS 6.4
CVE-2025-64252 MEDIUM
Marco Milesi ANAC XML Viewer <1.8.3 - SSRF
CVSS 4.9
CVE-2025-62741 MEDIUM
SmartDataSoft Pool Services <= 3.3 - SSRF
CVSS 5.4
Details
Vulnerabilities 2,698
Links
MITRE CWE Entry Search this CWE With Exploits