Search Blog Stats Labs

Tools EIP CLI Search Tool EIP MCP Server EIP REST API API Rate Limits

About

About Exploit Intel About Exploit Forge Privacy Policy

RSS Feeds

Blog Posts Recent CVEs CVEs with Exploits CISA KEV

Color Theme

Search Blog Statistics Labs Tools EIP CLI Search Tool EIP MCP Server EIP REST API API Rate Limits About About Exploit Forge Privacy

Exploit Database Researchers CWE Categories Vendors Ecosystems

RSS Feeds

Blog Posts Recent CVEs CVEs with Exploits CISA KEV

Follow:

Theme:

Home / CWE / CWE-918

CWE-918

Server-Side Request Forgery (SSRF)

Parent: CWE-441 - Unintended Proxy or Intermediary ('Confused Deputy')

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

2,678 vulnerabilities with CWE-918

CVE-2026-45412 MEDIUM

MaxKB: Unauthenticated SSRF via Workflow Template Import

CVE-2026-42336 MEDIUM

MaxKB: SSRF Bypass via DNS Rebinding in MaxKB OSS URL Fetch

CVE-2026-42335 MEDIUM

MaxKB: SSRF Bypass in MaxKB OSS URL Fetch due to URL Parsing Discrepancy

CVE-2026-44502 MEDIUM

Bugsink: SSRF bypass in `validate_webhook_url`

CVE-2026-2264 CRITICAL

Server-Side Request Forgery and Credential Exfiltration in Google Cloud Apigee via SetIntegrationRequest Policy.

CVE-2026-43936 MEDIUM

e107: Server-Side Request Forgery (SSRF) in the remote file fetcher

CVE-2026-40564 MEDIUM

Apache Flink Kubernetes Operator: Server-Side Request Forgery and local file access in Kubernetes Operator

CVE-2026-45082 HIGH

Karakeep <0.32.0 Redirect Handling - Server-Side Request Forgery Bypass

CVE-2026-44598 MEDIUM

Apache Shiro Jakarta EE module: Open redirect and SSRF (requires valid credentials)

CVE-2026-48843 HIGH

Roundcube Webmail - Server-Side Request Forgery (SSRF)

CVE-2026-9464 MEDIUM

YunaiV yudao-cloud Admin API Endpoint create IotDataSinkHttpConfig server-side request forgery

CVE-2026-47076 MEDIUM

SSRF allowlist bypass via percent-encoded host in hackney

CVE-2026-9372 HIGH

ItzCrazyKns Vane Model Provider API route.ts server-side request forgery

CVE-2026-9304 MEDIUM

calcom cal.diy Logo API route.ts validateUrlForSSRF server-side request forgery

CVE-2026-39965 HIGH

TypeBot: SSRF via Open Redirect Bypass in HTTP Request and Code Blocks

CVE-2026-34207 HIGH

TypeBot: SSRF Protection Bypass via DNS-Resolved Hostnames in Webhook / HTTP Request Validation

CVE-2026-33712 CRITICAL

TypeBot: Unauthenticated SSRF via isolated-vm fetch in preview chat endpoint bypasses SSRF controls

CVE-2026-7325 HIGH

Devolutions Server - Server-Side Request Forgery (SSRF)

CVE-2026-7798 MEDIUM

FluentCRM <= 2.9.87 - Unauthenticated Blind Server-Side Request Forgery via 'SubscribeURL' Parameter

CVE-2026-7890 MEDIUM

Concrete CMS 9.5.0 is vulnerable to SSRF via RSS Displayer Block

CVE-2026-6394 MEDIUM

Nexa Blocks <= 1.1.1 - Unauthenticated Blind Server-Side Request Forgery via 'demo_json_file' Parameter

CVE-2026-33637 NONE

Faraday: Protocol-relative URI objects still bypass host scoping (possible incomplete fix for GHSA-33mh-2634-fwr2)

CVE-2026-47358 HIGH

Tenable Terrascan < 1.18.3 - Externally Controlled Reference to a Resource in Another Sphere

CVE-2026-47357 HIGH

Tenable Terrascan < 1.18.3 - Externally Controlled Reference to a Resource in Another Sphere

CVE-2026-47356 HIGH

Terrascan < 1.18.3 - Unauthenticated Server-Side Request Forgery via Webhook URL Parameter

Previous Page 5 of 108 Next

Details

Vulnerabilities 2,678

Links

MITRE CWE Entry Search this CWE With Exploits

Exploit Intelligence Platform

Blog Stats Labs Exploits Researchers CWE Ecosystems CLI MCP API Limits About Privacy