CWE-918

Server-Side Request Forgery (SSRF)

Parent: CWE-441 - Unintended Proxy or Intermediary ('Confused Deputy')

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

2,698 vulnerabilities with CWE-918
CVE-2025-69206 MEDIUM
Hemmelig < 7.3.3 - Authenticated Server-Side Request Forgery via Secret Requests Webhook URL Validation Bypass
CVSS 4.3
CVE-2025-68893 MEDIUM
HETWORKS WordPress Image shrinker <1.1.0 - SSRF
CVSS 4.9
CVE-2025-15098 MEDIUM
YunaiV yudao-cloud < 2025.11 - Server-Side Request Forgery via BpmHttpCallbackTrigger/BpmSyncHttpRequestTrigger
CVSS 6.3
CVE-2025-68600 MEDIUM
Link Library <= 7.8.7 - Server-Side Request Forgery
CVSS 4.9
CVE-2025-68500 MEDIUM
Prime Slider - Addons For Elementor <= 4.0.10 - Server-Side Request Forgery
CVSS 4.9
CVE-2025-67623 MEDIUM
6Storage Rentals <= 2.22.0 - Server-Side Request Forgery
CVSS 5.4
CVE-2025-68696 HIGH
httparty < 0.24.0 - Server-Side Request Forgery
CVSS 8.2
CVE-2025-67743 MEDIUM
local-deep-research 1.3.0-1.3.8 - Server-Side Request Forgery via Download Service
CVSS 6.3
CVE-2025-68477 HIGH
Langflow < 1.7.0 - Server-Side Request Forgery via API Request Component
CVSS 7.7
CVE-2025-13999 HIGH
HTML5 Audio Player 2.4.0-2.5.1 - Server-Side Request Forgery via getIcyMetadata()
CVSS 7.2
CVE-2025-64663 CRITICAL
Azure Cognitive Service for Language - Server-Side Request Forgery
CVSS 9.9
CVE-2025-34452 HIGH
Streama 1.10.0-1.10.5 Path Traversal & SSRF via Subtitle Download
CVE-2025-14277 MEDIUM
Prime Slider - Addons for Elementor <= 4.0.9 - SSRF via import_elementor_template
CVSS 4.3
CVE-2025-68150 MEDIUM
Parse Server <8.6.2 & >=9.0.0 <9.1.1-alpha.1 SSRF via Instagram Auth Adapter apiURL
CVSS 6.5
CVE-2025-52196 HIGH
Ctera Portal 8.1.x - Crafted HTML Iframe Server-Side Request Forgery
CVSS 7.5
CVE-2025-14443 MEDIUM
OpenShift API Server Image References - Server-Side Request Forgery
CVSS 6.4
CVE-2025-67989 MEDIUM
LMPixels Kerge <= 4.1.3 - Server-Side Request Forgery
CVSS 5.4
CVE-2025-66407 MEDIUM
Weblate < 5.15 - Server-Side Request Forgery via Mercurial Repository URL
CVSS 5.0
CVE-2025-66844 CRITICAL
Grav < 1.7.49.5 - Server-Side Request Forgery via Twig Template Processing
CVSS 9.1
CVE-2025-13281 MEDIUM
Kubernetes <1.32.10, 1.30.0-1.30.13, 1.31.0-1.31.13, 1.32.0-1.32.8, 1.33.0-1.33.4, 1.34.0 SSRF via Portworx StorageClass
CVSS 5.8
CVE-2025-11970 MEDIUM
Emplibot <= 1.0.9 - Authenticated Server-Side Request Forgery
CVSS 4.4
CVE-2025-14518 MEDIUM
PowerJob < 5.1.2 - Server-Side Request Forgery via PingPongUtils checkConnectivity
CVSS 6.3
CVE-2025-14516 MEDIUM
Yalantis uCrop 2.2.11 - Server-Side Request Forgery via BitmapLoadTask URL Handler
CVSS 6.3
CVE-2025-11467 MEDIUM
RSS Aggregator by Feedzy < 5.1.1 - Unauthenticated Blind Server-Side Request Forgery via feedzy_lazy_load Function
CVSS 5.8
CVE-2025-65512 HIGH
markdownify_mcp_server < 0.0.2 - Server-Side Request Forgery via Webpage-to-Markdown Conversion
CVSS 7.5
Details
Vulnerabilities 2,698
Links
MITRE CWE Entry Search this CWE With Exploits