Common Weakness Enumeration

CWE-918

Allowed

Server-Side Request Forgery (SSRF)

Abstraction: Base · Status: Incomplete

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

4650 vulnerabilities reference this CWE, most recent first.

GHSA-Q2GC-2P96-WXG9

Vulnerability from github – Published: 2026-07-14 03:31 – Updated: 2026-07-14 03:31
VLAI
Details

A security vulnerability has been detected in mosaxiv clawlet up to 0.2.10. This affects the function tools.webFetch of the file tools/tool_web_fetch.go. Such manipulation leads to server-side request forgery. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. The reported GitHub issue was closed with the label "not planned".

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-15620"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-14T01:16:16Z",
    "severity": "LOW"
  },
  "details": "A security vulnerability has been detected in mosaxiv clawlet up to 0.2.10. This affects the function tools.webFetch of the file tools/tool_web_fetch.go. Such manipulation leads to server-side request forgery. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. The reported GitHub issue was closed with the label \"not planned\".",
  "id": "GHSA-q2gc-2p96-wxg9",
  "modified": "2026-07-14T03:31:34Z",
  "published": "2026-07-14T03:31:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-15620"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mosaxiv/clawlet/issues/14"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mosaxiv/clawlet"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/cve/CVE-2026-15620"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/submit/855795"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/vuln/378123"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/vuln/378123/cti"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-Q2P7-5M6X-29X8

Vulnerability from github – Published: 2026-05-19 18:32 – Updated: 2026-05-19 18:32
VLAI
Details

Terrascan v1.18.3 and prior are vulnerable to Server-Side Request Forgery (SSRF) via the webhook_url parameter in the file scan endpoint (POST /v1/{iac}/{iacVersion}/{cloud}/local/file/scan) when running in server mode. An unauthenticated remote attacker can supply an arbitrary URL as the webhook_url multipart form parameter. After scanning the uploaded file, Terrascan sends an HTTP POST request to the attacker-controlled URL containing the full scan results as a JSON body, with the attacker-supplied webhook_token forwarded as a Bearer token in the Authorization header. The retryable HTTP client retries up to 10 times on failure. This affects deployments running terrascan in server mode (terrascan server), which binds to 0.0.0.0 with no authentication. Note: Terrascan was archived in August 2023 and no patch will be released.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-47356"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-19T17:16:22Z",
    "severity": "HIGH"
  },
  "details": "Terrascan v1.18.3 and prior are vulnerable to Server-Side Request Forgery (SSRF) via the webhook_url parameter in the file scan endpoint (POST /v1/{iac}/{iacVersion}/{cloud}/local/file/scan) when running in server mode. An unauthenticated remote attacker can supply an arbitrary URL as the webhook_url multipart form parameter. After scanning the uploaded file, Terrascan sends an HTTP POST request to the attacker-controlled URL containing the full scan results as a JSON body, with the attacker-supplied webhook_token forwarded as a Bearer token in the Authorization header. The retryable HTTP client retries up to 10 times on failure. This affects deployments running terrascan in server mode (terrascan server), which binds to 0.0.0.0 with no authentication. Note: Terrascan was archived in August 2023 and no patch will be released.",
  "id": "GHSA-q2p7-5m6x-29x8",
  "modified": "2026-05-19T18:32:13Z",
  "published": "2026-05-19T18:32:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-47356"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tenable/terrascan"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-Q2PQ-WMHC-M7HV

Vulnerability from github – Published: 2024-10-22 18:32 – Updated: 2024-10-22 21:30
VLAI
Details

An issue was discovered in Zimbra Collaboration (ZCS) 10.1.x before 10.1.1, 10.0.x before 10.0.9, 9.0.0 before Patch 41, and 8.8.15 before Patch 46. It allows authenticated users to exploit Server-Side Request Forgery (SSRF) due to improper input sanitization and misconfigured domain whitelisting. This issue permits unauthorized HTTP requests to be sent to internal services, which can lead to Remote Code Execution (RCE) by chaining Command Injection within the internal service. When combined with existing XSS vulnerabilities, this SSRF issue can further facilitate Remote Code Execution (RCE).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-45518"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-22T17:15:03Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in Zimbra Collaboration (ZCS) 10.1.x before 10.1.1, 10.0.x before 10.0.9, 9.0.0 before Patch 41, and 8.8.15 before Patch 46. It allows authenticated users to exploit Server-Side Request Forgery (SSRF) due to improper input sanitization and misconfigured domain whitelisting. This issue permits unauthorized HTTP requests to be sent to internal services, which can lead to Remote Code Execution (RCE) by chaining Command Injection within the internal service. When combined with existing XSS vulnerabilities, this SSRF issue can further facilitate Remote Code Execution (RCE).",
  "id": "GHSA-q2pq-wmhc-m7hv",
  "modified": "2024-10-22T21:30:37Z",
  "published": "2024-10-22T18:32:11Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45518"
    },
    {
      "type": "WEB",
      "url": "https://wiki.zimbra.com/wiki/Security_Center"
    },
    {
      "type": "WEB",
      "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.9#Security_Fixes"
    },
    {
      "type": "WEB",
      "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.1#Security_Fixes"
    },
    {
      "type": "WEB",
      "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P46#Security_Fixes"
    },
    {
      "type": "WEB",
      "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P41#Security_Fixes"
    },
    {
      "type": "WEB",
      "url": "https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy"
    },
    {
      "type": "WEB",
      "url": "https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q2Q9-Q8MV-PV59

Vulnerability from github – Published: 2024-10-28 21:30 – Updated: 2024-10-30 18:30
VLAI
Details

SparkShop <=1.1.7 is vulnerable to server-side request forgery (SSRF). This vulnerability allows attacks to scan ports on the Intranet or local network where the server resides, attack applications running on the Intranet or local network, or read metadata on the cloud server.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-48107"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-28T21:15:09Z",
    "severity": "MODERATE"
  },
  "details": "SparkShop \u003c=1.1.7 is vulnerable to server-side request forgery (SSRF). This vulnerability allows attacks to scan ports on the Intranet or local network where the server resides, attack applications running on the Intranet or local network, or read metadata on the cloud server.",
  "id": "GHSA-q2q9-q8mv-pv59",
  "modified": "2024-10-30T18:30:48Z",
  "published": "2024-10-28T21:30:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-48107"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/RMAX2000/ebb654016e5b8a5b55aa6d8a7f2f321a#file-cve-2024-48107"
    },
    {
      "type": "WEB",
      "url": "https://gitee.com/sparkshop/sparkshop"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q2WP-R77C-3CW8

Vulnerability from github – Published: 2025-07-10 18:31 – Updated: 2025-11-05 00:31
VLAI
Details

SSRF in Apache HTTP Server with mod_proxy loaded allows an attacker to send outbound proxy requests to a URL controlled by the attacker.  Requires an unlikely configuration where mod_headers is configured to modify the Content-Type request or response header with a value provided in the HTTP request.

Users are recommended to upgrade to version 2.4.64 which fixes this issue.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-43204"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-10T17:15:45Z",
    "severity": "HIGH"
  },
  "details": "SSRF in Apache HTTP Server with mod_proxy loaded allows an attacker to send outbound proxy requests to a URL controlled by the attacker.\u00a0 Requires an unlikely configuration where mod_headers is configured to modify the Content-Type request or response header with a value provided in the HTTP request.\n\nUsers are recommended to upgrade to version 2.4.64 which fixes this issue.",
  "id": "GHSA-q2wp-r77c-3cw8",
  "modified": "2025-11-05T00:31:20Z",
  "published": "2025-07-10T18:31:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43204"
    },
    {
      "type": "WEB",
      "url": "https://httpd.apache.org/security/vulnerabilities_24.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00009.html"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2025/07/10/2"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2025/07/10/4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q2X5-4XJX-C6P9

Vulnerability from github – Published: 2026-01-21 22:49 – Updated: 2026-01-22 15:41
VLAI
Summary
Backstage has a Possible SSRF when reading from allowed URL's in `backend.reading.allow`
Details

Impact

The FetchUrlReader component, used by the catalog and other plugins to fetch content from URLs, followed HTTP redirects automatically. This allowed an attacker who controls a host listed in backend.reading.allow to redirect requests to internal or sensitive URLs that are not on the allowlist, bypassing the URL allowlist security control.

This is a Server-Side Request Forgery (SSRF) vulnerability that could allow access to internal resources, but it does not allow attackers to include additional request headers.

Patches

This vulnerability is fixed in @backstage/backend-defaults version 0.12.2, 0.13.2, 0.14.1, and 0.15.0. Users should upgrade to this version or later.

Workarounds

  • Restrict backend.reading.allow to only trusted hosts that you control and that do not issue redirects
  • Ensure allowed hosts do not have open redirect vulnerabilities
  • Use network-level controls to block access from Backstage to sensitive internal endpoints

References

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@backstage/backend-defaults"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.12.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@backstage/backend-defaults"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.13.0"
            },
            {
              "fixed": "0.13.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@backstage/backend-defaults"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.14.0"
            },
            {
              "fixed": "0.14.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-24048"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-21T22:49:37Z",
    "nvd_published_at": "2026-01-21T23:15:53Z",
    "severity": "LOW"
  },
  "details": "### Impact\n\nThe `FetchUrlReader` component, used by the catalog and other plugins to fetch content from URLs, followed HTTP redirects automatically. This allowed an attacker who controls a host listed in `backend.reading.allow` to redirect requests to internal or sensitive URLs that are not on the allowlist, bypassing the URL allowlist security control.\n\nThis is a Server-Side Request Forgery (SSRF) vulnerability that could allow access to internal resources, but it does not allow attackers to include additional request headers.\n\n### Patches\n\nThis vulnerability is fixed in `@backstage/backend-defaults` version 0.12.2, 0.13.2, 0.14.1, and 0.15.0. Users should upgrade to this version or later.\n\n### Workarounds\n\n- Restrict `backend.reading.allow` to only trusted hosts that you control and that do not issue redirects\n- Ensure allowed hosts do not have open redirect vulnerabilities\n- Use network-level controls to block access from Backstage to sensitive internal endpoints\n\n### References\n\n- [OWASP SSRF Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)",
  "id": "GHSA-q2x5-4xjx-c6p9",
  "modified": "2026-01-22T15:41:25Z",
  "published": "2026-01-21T22:49:37Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/backstage/backstage/security/advisories/GHSA-q2x5-4xjx-c6p9"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24048"
    },
    {
      "type": "WEB",
      "url": "https://github.com/backstage/backstage/commit/27f9061d24affd1b9212fe0abd476bfc3fbaedcb"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/backstage/backstage"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Backstage has a Possible SSRF when reading from allowed URL\u0027s in `backend.reading.allow`"
}

GHSA-Q347-CG56-PCQ4

Vulnerability from github – Published: 2022-03-14 22:57 – Updated: 2022-03-14 22:57
VLAI
Summary
SSRF in repository migration
Details

Impact

The malicious user is able to discover services in the internal network through repository migration functionality. All installations accepting public traffic are affected.

Patches

Internal network CIDRs are prohibited to be used as repository migration targets. Users should upgrade to 0.12.5 or the latest 0.13.0+dev.

Workarounds

Run Gogs in its own private network.

References

https://www.huntr.dev/bounties/327797d7-ae41-498f-9bff-cc0bf98cf531/

For more information

If you have any questions or comments about this advisory, please post on #6754.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "gogs.io/gogs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.12.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-03-14T22:57:00Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nThe malicious user is able to discover services in the internal network through repository migration functionality. All installations accepting public traffic are affected.\n\n### Patches\n\nInternal network CIDRs are prohibited to be used as repository migration targets. Users should upgrade to 0.12.5 or the latest 0.13.0+dev.\n\n### Workarounds\n\nRun Gogs in its own private network.\n\n### References\n\nhttps://www.huntr.dev/bounties/327797d7-ae41-498f-9bff-cc0bf98cf531/\n\n### For more information\n\nIf you have any questions or comments about this advisory, please post on #6754.\n",
  "id": "GHSA-q347-cg56-pcq4",
  "modified": "2022-03-14T22:57:00Z",
  "published": "2022-03-14T22:57:00Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/gogs/gogs/security/advisories/GHSA-q347-cg56-pcq4"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/gogs/gogs"
    },
    {
      "type": "WEB",
      "url": "https://www.huntr.dev/bounties/327797d7-ae41-498f-9bff-cc0bf98cf531"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "SSRF in repository migration"
}

GHSA-Q348-F93X-9GX4

Vulnerability from github – Published: 2021-04-29 21:53 – Updated: 2021-04-28 22:29
VLAI
Summary
Lack of Input Validation in zendesk_api_client_php for Zendesk Subdomain
Details

Impact

Lack of input validation of the Zendesk subdomain could expose users of the library to Server Side Request Forgery (SSRF).

Resolution

Validate the provided Zendesk subdomain to be a valid subdomain in: * getAuthUrl * getAccessToken

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "zendesk/zendesk_api_client_php"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.2.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-30492"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-04-28T22:29:16Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "### Impact\nLack of input validation of the Zendesk subdomain could expose users of the library to Server Side Request Forgery (SSRF).\n\n### Resolution\nValidate the provided Zendesk subdomain to be a valid subdomain in:\n* getAuthUrl\n* getAccessToken",
  "id": "GHSA-q348-f93x-9gx4",
  "modified": "2021-04-28T22:29:16Z",
  "published": "2021-04-29T21:53:06Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/zendesk/zendesk_api_client_php/security/advisories/GHSA-q348-f93x-9gx4"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zendesk/zendesk_api_client_php/pull/466"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zendesk/zendesk_api_client_php/commit/b451b743d9d6d81a9abf7cb86e70ec9c5332123e"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Lack of Input Validation in zendesk_api_client_php for Zendesk Subdomain"
}

GHSA-Q445-CMJC-PJFP

Vulnerability from github – Published: 2022-04-29 00:00 – Updated: 2022-05-11 00:02
VLAI
Details

The iot-manager microservice 1.0.0 in Northern.tech Mender Enterprise before 3.2.2 allows SSRF because the Azure IoT Hub integration provides several SSRF primitives that can execute cross-tenant actions via internal API endpoints.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-29556"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-04-28T20:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "The iot-manager microservice 1.0.0 in Northern.tech Mender Enterprise before 3.2.2 allows SSRF because the Azure IoT Hub integration provides several SSRF primitives that can execute cross-tenant actions via internal API endpoints.",
  "id": "GHSA-q445-cmjc-pjfp",
  "modified": "2022-05-11T00:02:08Z",
  "published": "2022-04-29T00:00:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29556"
    },
    {
      "type": "WEB",
      "url": "https://mender.io/blog/cve-2022-29555-and-cve-2022-29556-vulnerabilities-in-iot-manager-and-deviceconnect"
    },
    {
      "type": "WEB",
      "url": "https://northern.tech"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q44W-9XJG-492G

Vulnerability from github – Published: 2025-12-01 15:30 – Updated: 2026-02-06 15:30
VLAI
Details

An authenticated Zabbix Super Admin can exploit the oauth.authorize action to read arbitrary files from the webserver leading to potential confidentiality loss.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-27232"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-01T13:16:00Z",
    "severity": "MODERATE"
  },
  "details": "An authenticated Zabbix Super Admin can exploit the oauth.authorize action to read arbitrary files from the webserver leading to potential confidentiality loss.",
  "id": "GHSA-q44w-9xjg-492g",
  "modified": "2026-02-06T15:30:59Z",
  "published": "2025-12-01T15:30:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27232"
    },
    {
      "type": "WEB",
      "url": "https://support.zabbix.com/browse/ZBX-27282"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

No mitigation information available for this CWE.

CAPEC-664: Server Side Request Forgery

An adversary exploits improper input validation by submitting maliciously crafted input to a target application running on a server, with the goal of forcing the server to make a request either to itself, to web services running in the server’s internal network, or to external third parties. If successful, the adversary’s request will be made with the server’s privilege level, bypassing its authentication controls. This ultimately allows the adversary to access sensitive data, execute commands on the server’s network, and make external requests with the stolen identity of the server. Server Side Request Forgery attacks differ from Cross Site Request Forgery attacks in that they target the server itself, whereas CSRF attacks exploit an insecure user authentication mechanism to perform unauthorized actions on the user's behalf.