CWE-918

Server-Side Request Forgery (SSRF)

Parent: CWE-441 - Unintended Proxy or Intermediary ('Confused Deputy')

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

2,699 vulnerabilities with CWE-918
CVE-2025-25235 HIGH
Omnissa Secure Email Gateway <2.32-2503 - SSRF
CVSS 8.6
CVE-2025-25229 MEDIUM
Omnissa Workspace ONE UEM < 24.10.0.10, < 24.6.0.34, < 24.2.0.29, < 23.10.0.49 - Server-Side Request Forgery
CVSS 5.4
CVE-2025-8772 MEDIUM
NukeViet < 4.5.06 - Server-Side Request Forgery via Module Handler
CVSS 4.3
CVE-2025-4655 MEDIUM
Liferay DXP 2024.Q1.1-2024.Q1.15 - Server-Side Request Forgery via FreeMarker Template URL Bypass
CVSS 5.0
CVE-2025-4581 HIGH
Liferay Portal 7.4.0-7.4.3.132 & DXP 2024.Q1.1-2025.Q1.4 - Blind SSRF via portal-settings-authentication-opensso-web
CVSS 8.6
CVE-2025-53767 CRITICAL
Azure OpenAI - Privilege Escalation
CVSS 10.0
CVE-2025-51058 MEDIUM
Bottinelli Informatical Vedo Suite 2024.17 - SSRF
CVSS 6.5
CVE-2025-50234 MEDIUM
MCCMS v2.7.0 - Server-Side Request Forgery via Encrypted pic Parameter
CVSS 6.5
CVE-2025-8529 MEDIUM
cloudfavorites favorites-web <1.3.0 - SSRF
CVSS 6.3
CVE-2025-8527 MEDIUM
Exrick xboot < 3.3.4 - Server-Side Request Forgery via Swagger SecurityController
CVSS 6.3
CVE-2025-8520 MEDIUM
vvveb < 1.0.6 - Server-Side Request Forgery via Drag-and-Drop Editor URL Parameter
CVSS 4.7
CVE-2025-8341 MEDIUM
Grafana Infinity Datasource <= 3.4.1 - URL Allowlist Bypass Server-Side Request Forgery
CVSS 5.0
CVE-2025-54132 MEDIUM
Cursor < 1.3 - Server-Side Request Forgery via Mermaid Diagram Image Embedding
CVSS 4.4
CVE-2025-54590 MEDIUM
webfinger.js < 2.8.1 - Server-Side Request Forgery via User Address Lookup
CVE-2025-52567 LOW
GLPI 0.84-10.0.18 - Server-Side Request Forgery via RSS Feed or External Calendar
CVSS 3.5
CVE-2025-54381 CRITICAL
BentoML 1.4.0-1.4.19 - Unauthenticated Server-Side Request Forgery via URL-Based File Upload
CVSS 9.9
CVE-2025-24485 MEDIUM
MedDream PACS Premium 7.3.5.860 - Unauthenticated Server-Side Request Forgery via cecho.php
CVSS 5.8
CVE-2025-8267 HIGH
ssrfcheck < 1.2.0 - Server-Side Request Forgery via Multicast IP Bypass
CVSS 8.2
CVE-2025-8228 MEDIUM
chancms < 3.1.3 - Server-Side Request Forgery via getPages Function
CVSS 6.3
CVE-2025-52455 MEDIUM
Tableau Server < 2025.1.3, < 2024.2.12, < 2023.3.19 - Server-Side Request Forgery
CVSS 5.3
CVE-2025-52454 HIGH
Tableau Server < 2023.3.19 - Server-Side Request Forgery via Amazon S3 Connector
CVSS 8.2
CVE-2025-52453 HIGH
Tableau Server < 2023.3.19 - Server-Side Request Forgery in Flow Data Source Modules
CVSS 8.2
CVE-2025-45939 MEDIUM
Apwide Golive 10.2.0 - Server-Side Request Forgery via Test Webhook Function
CVSS 6.5
CVE-2025-8133 MEDIUM
chancms < 3.1.3 - Server-Side Request Forgery via getArticle Function
CVSS 6.3
CVE-2025-8020 HIGH
private-ip - Server-Side Request Forgery via Multicast IP Address
CVSS 8.2
Details
Vulnerabilities 2,699
Links
MITRE CWE Entry Search this CWE With Exploits