CWE-918

Server-Side Request Forgery (SSRF)

Parent: CWE-441 - Unintended Proxy or Intermediary ('Confused Deputy')

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

2,698 vulnerabilities with CWE-918
CVE-2025-56589 HIGH
Apryse HTML2PDF < 11.7.0 - Local File Inclusion and Server-Side Request Forgery via InsertFromHtmlString
CVSS 7.5
CVE-2025-68616 HIGH
WeasyPrint < 68.0 - Server-Side Request Forgery via HTTP Redirect Bypass
CVSS 7.5
CVE-2025-15104 MEDIUM
Nu Html Checker (validator.nu) - Server-Side Request Forgery via DNS Rebinding Bypass
CVSS 5.3
CVE-2025-14793 MEDIUM
DK PDF - WordPress PDF Generator <2.3.0 - SSRF
CVSS 5.0
CVE-2025-67647 CRITICAL
SvelteKit 2.19.0-2.49.4 - Server-Side Request Forgery and Denial of Service via Prerendered Routes
CVSS 9.1
CVE-2025-14613 HIGH
GetContentFromURL <= 1.0 - Authenticated Server-Side Request Forgery via URL Parameter
CVSS 7.2
CVE-2025-67685 LOW
FortiSandbox 4.0.0-4.4.0, 5.0.0-5.0.4 - Authenticated Server-Side Request Forgery via Crafted HTTP Requests
CVSS 3.8
CVE-2025-65784 MEDIUM
Hubert Imoveis e Administracao Ltda Hub <2.0.1.27.3 - Info Disclosure
CVSS 6.5
CVE-2025-13393 MEDIUM
WordPress FIFU <=5.3.1 Elementor Widget - Contributor Server-Side Request Forgery
CVSS 4.3
CVE-2025-22726 MEDIUM
_nK nK Themes Helper <= 1.7.9 - SSRF
CVSS 6.4
CVE-2025-69222 CRITICAL
LibreChat Actions - Internal Service Server-Side Request Forgery
CVSS 9.1
CVE-2025-58441 MEDIUM
Knowage < 8.1.37 - Server-Side Request Forgery
CVSS 6.5
CVE-2025-49335 MEDIUM
minnur External Media <1.0.36 - SSRF
CVSS 4.9
CVE-2025-14438 MEDIUM
Xagio SEO - AI Powered SEO <7.1.0.30 - SSRF
CVSS 6.4
CVE-2025-68437 MEDIUM
Craft CMS 4.0.0-RC1-4.16.16 & 5.0.0-RC1-5.8.20 - SSRF via GraphQL save_<VolumeName>_Asset Mutation
CVSS 6.8
CVE-2025-61916 HIGH
Spinnaker < 2025.1.6, 2025.2.3, 2025.3.0 - Server-Side Request Forgery via Artifact Provider URL Input
CVSS 7.9
CVE-2025-67427 MEDIUM
evershop < 2.1.0 - Unauthenticated Blind Server-Side Request Forgery via Images API src Parameter
CVSS 6.5
CVE-2025-15414 MEDIUM
go-sonic sonic <= 1.1.4 - Server-Side Request Forgery via Theme Fetching API
CVSS 4.7
CVE-2025-14627 MEDIUM
WP Import - Ultimate CSV XML Importer for WordPress <7.35 - SSRF
CVSS 6.4
CVE-2025-34469 HIGH
Cowrie < 2.9.0 - Unauthenticated Server-Side Request Forgery via wget and curl Emulation
CVSS 7.5
CVE-2025-62088 MEDIUM
WordPress & WooCommerce Scraper Plugin - SSRF
CVSS 5.4
CVE-2025-59138 MEDIUM
Jthemes Genemy <= 1.6.6 - Server-Side Request Forgery
CVSS 4.9
CVE-2025-15373 MEDIUM
EyouCMS < 1.7.8 - Server-Side Request Forgery via saveRemote Function
CVSS 6.3
CVE-2025-15264 HIGH
FeehiCMS < 2.1.1 - Server-Side Request Forgery via TimThumb src Argument
CVSS 7.3
CVE-2025-69014 MEDIUM
Youzify <= 1.3.7 - Server-Side Request Forgery
CVSS 4.9
Details
Vulnerabilities 2,698
Links
MITRE CWE Entry Search this CWE With Exploits