CWE-918

Server-Side Request Forgery (SSRF)

Parent: CWE-441 - Unintended Proxy or Intermediary ('Confused Deputy')

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

2,708 vulnerabilities with CWE-918
CVE-2025-49545 MEDIUM
Adobe ColdFusion <= 2025.2, <= 2023.14, <= 2021.20 - Authenticated Server-Side Request Forgery
CVSS 6.2
CVE-2025-0292 MEDIUM
Ivanti Connect Secure <22.7R2.8 - SSRF
CVSS 5.5
CVE-2025-42965 MEDIUM
SAP CMC Promotion Management - Info Disclosure
CVSS 4.1
CVE-2025-53473 HIGH
Nimesa Backup and Recovery < 3.0.2025062305 - Server-Side Request Forgery
CVSS 7.3
CVE-2025-7103 MEDIUM
BoyunCMS < 1.4.20 - Server-Side Request Forgery via curl in /application/pay/controller/Index.php
CVSS 6.3
CVE-2025-49418 HIGH
Allmart <= 1.0.0 - Server-Side Request Forgery
CVSS 7.2
CVE-2025-28963 MEDIUM
Md Yeasin Ul Haider URL Shortener <3.0.7 - SSRF
CVSS 5.4
CVE-2025-6729 MEDIUM
PayMaster for WooCommerce <= 0.4.31 - Authenticated Server-Side Request Forgery via wp_ajax_paym_status AJAX Action
CVSS 6.4
CVE-2025-5817 HIGH
Amazon Products to WooCommerce <1.2.7 - SSRF
CVSS 7.2
CVE-2025-34051 MEDIUM
AVTECH DVR - Server-Side Request Forgery
CVE-2025-45872 CRITICAL
ZrLog 3.1.5 downloadUrl - Server-Side Request Forgery
CVSS 9.8
CVE-2025-52491 MEDIUM
Akamai CloudTest < 12989 - Server-Side Request Forgery
CVSS 5.8
CVE-2025-53018 LOW
Lychee < 6.6.13 - Server-Side Request Forgery via Photo::fromUrl Endpoint
CVSS 3.0
CVE-2025-6762 MEDIUM
diyhi bbs < 6.8 - Server-Side Request Forgery via Host Header in HTTP Header Handler
CVSS 6.3
CVE-2025-2940 HIGH
Ninja Tables - Easy Data Table Builder <5.0.18 - SSRF
CVSS 7.2
CVE-2025-52477 HIGH
octo-sts/app < 0.5.3 - Unauthenticated Server-Side Request Forgery via OpenID Connect Token Fields
CVSS 8.6
CVE-2025-49852 HIGH
ControlID iDSecure < 4.7.50.0 - Unauthenticated Server-Side Request Forgery
CVSS 7.5
CVE-2025-2828 CRITICAL
langchain < 0.0.28 - Server-Side Request Forgery via RequestsToolkit
CVSS 10.0
CVE-2025-6517 MEDIUM
Dromara MaxKey <= 4.1.7 - Server-Side Request Forgery via SAML20DetailsController Meta URL Handler
CVSS 6.3
CVE-2025-52967 MEDIUM
MLflow < 3.1.0 - Server-Side Request Forgery via Gateway Path Validation Bypass
CVSS 5.8
CVE-2025-34021 HIGH
Selea Targa IP OCR-ANPR Camera - Server-Side Request Forgery via JSON POST Parameters
CVE-2025-52713 MEDIUM
BoldGrid Post and Page Builder <1.27.8 - SSRF
CVSS 6.4
CVE-2025-49985 MEDIUM
Ali Irani Auto Upload Images <3.3.2 - SSRF
CVSS 4.9
CVE-2025-49984 MEDIUM
PowerPress Podcasting <11.12.11 - SSRF
CVSS 4.9
CVE-2025-49983 MEDIUM
WPThumb <= 0.10 - Server-Side Request Forgery
CVSS 4.9
Details
Vulnerabilities 2,708
Links
MITRE CWE Entry Search this CWE With Exploits