CWE-918

Server-Side Request Forgery (SSRF)

Parent: CWE-441 - Unintended Proxy or Intermediary ('Confused Deputy')

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

2,698 vulnerabilities with CWE-918
CVE-2025-67494 CRITICAL
ZITADEL < 4.7.1 - Unauthenticated Server-Side Request Forgery via x-zitadel-forward-host Header
CVSS 9.3
CVE-2025-65513 HIGH
fetch_mcp_server < 1.0.2 - Server-Side Request Forgery via Private IP Validation Bypass
CVSS 7.5
CVE-2025-63010 MEDIUM
Hercules Core <= 7.4 - Server-Side Request Forgery
CVSS 4.9
CVE-2025-12832 MEDIUM
IBM InfoSphere Information Server <11.7.1.6 - SSRF
CVSS 4.6
CVE-2025-26487 HIGH
Infinera MTC-9 Firmware >=22.1.1.0275 <23.0 - Unauthenticated Server-Side Request Forgery
CVSS 8.6
CVE-2025-14116 MEDIUM
Yuxi-Know < 0.4.0 - Server-Side Request Forgery via OtherEmbedding.aencode Health URL Parameter
CVSS 4.7
CVE-2025-59775 HIGH
Apache HTTP Server 2.4.0-2.4.65 - Server-Side Request Forgery via AllowEncodedSlashes and MergeSlashes Configuration
CVSS 7.5
CVE-2025-65958 HIGH
Open WebUI < 0.6.37 - Authenticated Server-Side Request Forgery
CVSS 8.5
CVE-2025-14008 MEDIUM
xunruicms < 4.7.1 - Server-Side Request Forgery via test_site_domain API
CVSS 4.7
CVE-2025-14004 MEDIUM
xunruicms < 4.7.1 - Server-Side Request Forgery via Email Setting Handler
CVSS 4.7
CVE-2025-20388 LOW
Splunk <10.0.1-9.2.10 - Info Disclosure
CVSS 2.7
CVE-2025-13872 CRITICAL
ObjectPlanet Opinio 7.26 rev12562 - Server-Side Request Forgery via Survey Import Feature
CVSS 9.1
CVE-2025-66405 CRITICAL
Portkey.ai Gateway < 1.14.0 - Server-Side Request Forgery via x-portkey-custom-host Header
CVSS 9.8
CVE-2025-65836 CRITICAL
PublicCMS V5.202506.b - Server-Side Request Forgery in SimpleAiAdminController
CVSS 9.1
CVE-2025-27232 MEDIUM
Zabbix Frontend 7.4.0-7.4.2 - Authenticated Server-Side Request Forgery via OAuth Authorize Action
CVSS 4.9
CVE-2025-13814 HIGH
mogublog < 5.2 - Server-Side Request Forgery via LocalFileServiceImpl.uploadPictureByUrl
CVSS 7.3
CVE-2025-13809 MEDIUM
orionsec orion-ops < 2025-08-01 - Server-Side Request Forgery via SSH Connection Handler
CVSS 6.3
CVE-2025-13796 MEDIUM
deco-cx apps <= 0.120.1 - Server-Side Request Forgery via AnalyticsScript URL Parameter
CVSS 6.3
CVE-2025-13789 MEDIUM
zentao < 21.7.6 - Server-Side Request Forgery via Base Argument in makeRequest Function
CVSS 6.3
CVE-2025-66201 HIGH
LibreChat < 0.8.1-rc2 - Authenticated Server-Side Request Forgery via Actions Feature
CVSS 8.1
CVE-2025-13378 MEDIUM
AYS AI ChatBot WordPress Plugin <=2.7.0 - Unauthenticated Server-Side Request Forgery
CVSS 6.5
CVE-2025-34350 HIGH
UnForm Server <10.1.15 - Info Disclosure
CVE-2025-33203 HIGH
NVIDIA NeMo Agent Toolkit UI - SSRF
CVSS 7.6
CVE-2025-62155 HIGH
QuantumNous new-api < 0.9.6 - Server-Side Request Forgery via 302 Redirect Bypass
CVSS 8.5
CVE-2025-13588 MEDIUM
lKinderBueno Streamity Xtream IPTV Player <2.8 - SSRF
CVSS 6.3
Details
Vulnerabilities 2,698
Links
MITRE CWE Entry Search this CWE With Exploits