CWE-918

Server-Side Request Forgery (SSRF)

Parent: CWE-441 - Unintended Proxy or Intermediary ('Confused Deputy')

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

2,698 vulnerabilities with CWE-918
CVE-2025-12800 MEDIUM
Shortcodes Ultimate <= 7.4.5 - Authenticated SSRF via su_shortcode_csv_table
CVSS 6.4
CVE-2025-62207 HIGH
Azure Monitor - Server-Side Request Forgery
CVSS 8.6
CVE-2025-13147 MEDIUM
Progress MOVEit Transfer < 2024.1.8, 2025.0.0-2025.0.3 - Server-Side Request Forgery
CVSS 5.3
CVE-2025-12359 MEDIUM
Responsive Lightbox & Gallery <2.5.3 - SSRF
CVSS 5.4
CVE-2025-63408 HIGH
Local Agent DVR <6.6.1.0 - Path Traversal
CVSS 7.8
CVE-2025-8084 MEDIUM
AI Engine < 3.1.8 - Authenticated Server-Side Request Forgery via rest_helpers_create_images
CVSS 6.8
CVE-2025-12376 MEDIUM
Icon List Block <= 1.2.1 - Authenticated Server-Side Request Forgery
CVSS 6.4
CVE-2025-11427 MEDIUM
WP Migrate Lite <= 2.7.6 - Unauthenticated Blind SSRF via wpmdb_flush
CVSS 5.8
CVE-2025-12962 MEDIUM
Local Syndication <= 1.5a - Authenticated Server-Side Request Forgery via URL Parameter
CVSS 6.4
CVE-2025-13174 MEDIUM
rachelos WeRSS we-mp-rss <= 1.4.7 - Server-Side Request Forgery via Webhook Module
CVSS 6.3
CVE-2025-54560 LOW
Desktop Alert PingAlert Application Server 6.1.0.11-6.1.1.2 - Server-Side Request Forgery
CVSS 3.8
CVE-2025-64752 MEDIUM
grist-core < 1.7.7 - Server-Side Request Forgery via URL Fetch Feature
CVSS 6.8
CVE-2025-64709 CRITICAL
typebot < 3.13.1 - Authenticated Server-Side Request Forgery via Webhook Block
CVSS 9.6
CVE-2025-64525 MEDIUM
Astro 2.16.0-5.15.4 - Server-Side Request Forgery via x-forwarded-proto Header
CVSS 6.5
CVE-2025-64511 HIGH
maxkb < 2.3.1 - Server-Side Request Forgery via Python Tool Module
CVSS 7.4
CVE-2025-52186 MEDIUM
lichess/lila < 2025-06-02 - Server-Side Request Forgery via Game Export API Players Parameter
CVSS 6.5
CVE-2025-59088 HIGH
kdcproxy - DNS SRV Realm Server-Side Request Forgery
CVSS 8.6
CVE-2025-64522 CRITICAL
Soft Serve < 0.11.1 - Server-Side Request Forgery via Webhook URL
CVSS 9.1
CVE-2025-64430 HIGH
Parse Server 4.2.0-7.5.3 and 8.0.0-8.3.1-alpha.1 - Server-Side Request Forgery via File Upload URI Parameter
CVSS 7.5
CVE-2025-64180 CRITICAL
Manager-io/Manager <25.11.1.3085 - Privilege Escalation
CVSS 10.0
CVE-2025-64178 HIGH
jellysweep < 0.13.0 - Authenticated Server-Side Request Forgery via Image Cache URL Parameter
CVE-2025-64327 MEDIUM
ThinkDashboard < 0.6.8 - Server-Side Request Forgery via /api/ping URL Parameter
CVSS 5.3
CVE-2025-63551 HIGH
MetInfo < 8.1 - Server-Side Request Forgery via XML External Entity Injection
CVSS 7.5
CVE-2025-60541 HIGH
linshenkx prompt-optimizer <1.4.2 - SSRF
CVSS 7.3
CVE-2025-12560 MEDIUM
WordPress Blog2Social <= 8.6.0 getFullContent - Subscriber Server-Side Request Forgery
CVSS 4.3
Details
Vulnerabilities 2,698
Links
MITRE CWE Entry Search this CWE With Exploits