CWE-918

Server-Side Request Forgery (SSRF)

Parent: CWE-441 - Unintended Proxy or Intermediary ('Confused Deputy')

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

2,678 vulnerabilities with CWE-918
CVE-2026-30118 CRITICAL
scalar/astro 0.1.13 - Server-Side Request Forgery via Scalar Proxy scalar_url Parameter
CVSS 9.8
CVE-2026-31910 HIGH
Apache OFBiz: Improper Input Validation in UI Factory Classes Leads to SSRF and Blind File Access
CVSS 7.5
CVE-2026-29226 HIGH
Apache OFBiz: Low-Privilege SSRF in Content Component
CVSS 7.3
CVE-2026-33234 MEDIUM
AutoGPT: SendEmailBlock's IP blocklist bypass allows SSRF via user-controlled SMTP server
CVSS 5.0
CVE-2026-45245 HIGH
Summarize < 0.15.1 Unauthorized Daemon Request via Untrusted Events
CVSS 7.4
CVE-2026-6333 LOW
SSRF via Host Header Spoofing in Custom Slash Commands
CVSS 3.5
CVE-2026-8768 HIGH
vercel ai provider-utils download-blob.ts validateDownloadUrl server-side request forgery
CVSS 7.3
CVE-2026-8725 HIGH
CoreWorxLab CAAL test-hass Endpoint webhooks.py server-side request forgery
CVSS 7.3
CVE-2026-45347 MEDIUM
Open WebUI: Blind server side request forgery (SSRF) via the PDF generate function
CVSS 4.3
CVE-2026-45338 HIGH
Open WebUI: SSRF via OAuth Profile Picture URL in _process_picture_url (oauth.py)
CVSS 7.7
CVE-2026-45401 HIGH
Open WebUI: SSRF Bypass via HTTP Redirect Following in Web-Fetch and Image-Load Endpoints
CVSS 8.5
CVE-2026-45400 HIGH
Open WebUI: Server-Side Request Forgery (SSRF) bypass in `validate_url`
CVSS 8.5
CVE-2026-45331 HIGH
Open WebUI: Full SSRF Vulnerability in the RAG Web Search Feature
CVSS 8.5
CVE-2026-44428 MEDIUM
MCP Registry: GitHub OIDC tokens replayable across registry deployments due to shared audience
CVSS 4.7
CVE-2026-44661 MEDIUM
python-utcp: SSRF via attacker-controlled OpenAPI servers[0].url in HTTP communication protocol
CVSS 4.7
CVE-2026-44430 MEDIUM
MCP Registry: Unauthenticated SSRF: HTTP namespace verification dials 6to4 / NAT64 / site-local IPv6 addresses, bypassing private-address allowlist
CVSS 4.0
CVE-2026-44589 LOW
nuxt-og-image SSRF — bypass of GHSA-pqhr-mp3f-hrpp / v6.2.5 fix (IPv6 + redirect)
CVSS 3.7
CVE-2026-44520 MEDIUM
Docling-Graph: SSRF via Missing Internal IP Validation in URLInputHandler
CVSS 5.7
CVE-2026-44515 LOW
Nextcloud News: Authenticated blind SSRF via feed URL
CVE-2026-42597 MEDIUM
Gotenberg: Chromium URL conversion routes read arbitrary files under /tmp via file:// scheme
CVSS 5.9
CVE-2026-42596 CRITICAL
Gotenberg: Unauthenticated SSRF via default deny-list bypass in downloadFrom and webhook
CVSS 9.4
CVE-2026-42595 HIGH
Gotenberg: Server-Side Request Forgery via Chromium URL Endpoint with Redirect-Based Deny-List Bypass
CVSS 8.6
CVE-2026-42592 MEDIUM
Gotenberg: DNS rebinding bypasses SSRF validation on Chromium URL conversion routes
CVSS 5.3
CVE-2026-42591 HIGH
Gotenberg: Server-Side Request Forgery (SSRF) in github.com/gotenberg/gotenberg/v8
CVSS 8.2
CVE-2026-42281 HIGH
MagicMirror²: Unauthenticated SSRF via /cors endpoint
CVSS 8.6
Details
Vulnerabilities 2,678
Links
MITRE CWE Entry Search this CWE With Exploits