CWE-918

Server-Side Request Forgery (SSRF)

Parent: CWE-441 - Unintended Proxy or Intermediary ('Confused Deputy')

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

2,714 vulnerabilities with CWE-918
CVE-2025-23082 HIGH
Veeam Backup for Microsoft Azure 7.0.0.467-7.1.0.59 - Unauthenticated Server-Side Request Forgery
CVSS 7.2
CVE-2025-21385 HIGH
Microsoft Purview - Server-Side Request Forgery
CVSS 8.8
CVE-2025-22215 MEDIUM
VMware Aria Automation < 8.18.1 patch 1 - Server-Side Request Forgery
CVSS 4.3
CVE-2024-50337 MEDIUM
Chamilo LMS < 1.11.28 - Unauthenticated Server-Side Request Forgery via OpenId Function
CVSS 5.3
CVE-2024-25181 CRITICAL
givanz VvvebJs 1.7.2 - SSRF, File Reading
CVSS 9.1
CVE-2024-46413 MEDIUM
rebuild < 3.7.7 - Server-Side Request Forgery via Type Parameter
CVSS 5.1
CVE-2024-39954 MEDIUM
Apache EventMesh < 1.12.0 - Server-Side Request Forgery via WebhookUtil
CVSS 6.3
CVE-2024-55399 MEDIUM
4cstrategies exonaut < 21.6.2.1-1 - Server-Side Request Forgery
CVSS 6.5
CVE-2024-9408 CRITICAL
Eclipse GlassFish >= 6.2.5 - Server-Side Request Forgery
CVSS 9.8
CVE-2024-43394 HIGH
Apache HTTP Server 2.4.0-2.4.63 - Server-Side Request Forgery via mod_rewrite or Apache Expressions
CVSS 7.5
CVE-2024-43204 HIGH
Apache HTTP Server 2.4.0-2.4.63 - Server-Side Request Forgery via mod_proxy
CVSS 7.5
CVE-2024-51981 MEDIUM
Brother Printer WS-Eventing - Blind Server-Side Request Forgery
CVSS 5.3
CVE-2024-51980 MEDIUM
Brother Printers WS-Addressing ReplyTo - Limited Server-Side Request Forgery Port Scanning
CVSS 5.3
CVE-2024-40625 MEDIUM
GeoServer < 2.26.0 - Server-Side Request Forgery via Coverage REST API
CVSS 5.5
CVE-2024-34711 CRITICAL
GeoServer < 2.25.0 - XML External Entity Injection via URI Validation Bypass
CVSS 9.3
CVE-2024-29198 HIGH
GeoServer Demo Request Endpoint - Server Side Request Forgery
CVSS 7.5
CVE-2024-7073 MEDIUM
WSO2 Identity Server and Open Banking IAM/KM - Unauthenticated Server-Side Request Forgery via SOAP Admin Services
CVSS 6.5
CVE-2024-52588 MEDIUM
Strapi < 4.25.2 - Server-Side Request Forgery via Webhooks URL Field
CVSS 4.9
CVE-2024-13957 HIGH
ABB ASPECT, NEXUS, and MATRIX <=3.x - Admin Server-Side Request Forgery
CVSS 7.6
CVE-2024-6584 CRITICAL
WordPress Jetpack Boost 3.4.7 - Admin Server-Side Request Forgery
CVSS 9.1
CVE-2024-13940 MEDIUM
Ninja Forms Webhooks <= 3.0.7 - Authenticated Server-Side Request Forgery via Form Webhook Functionality
CVSS 5.5
CVE-2024-55910 MEDIUM
IBM Concert 1.0.0-1.0.5 - Authenticated Server-Side Request Forgery
CVSS 6.5
CVE-2024-48907 HIGH
Sematell ReplyOne 7.4.3.0 - Server-Side Request Forgery via Application Server API
CVSS 7.5
CVE-2024-13845 MEDIUM
Gravity Forms WebHooks <= 1.6.0 - Authenticated Server-Side Request Forgery via process_feed Method
CVSS 5.5
CVE-2024-56736 MEDIUM
Apache HertzBeat < 1.7.0 - Server-Side Request Forgery
CVSS 6.5
Details
Vulnerabilities 2,714
Links
MITRE CWE Entry Search this CWE With Exploits