CWE-918
AllowedServer-Side Request Forgery (SSRF)
Abstraction: Base · Status: Incomplete
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
4638 vulnerabilities reference this CWE, most recent first.
GHSA-R66P-45RW-5XC2
Vulnerability from github – Published: 2026-04-14 18:30 – Updated: 2026-04-14 18:30A server-side request forgery (ssrf) vulnerability [CWE-918] vulnerability in Fortinet FortiSOAR PaaS 7.6.4, FortiSOAR PaaS 7.6.0 through 7.6.2, FortiSOAR PaaS 7.5.0 through 7.5.2, FortiSOAR PaaS 7.4 all versions, FortiSOAR PaaS 7.3 all versions, FortiSOAR on-premise 7.6.4, FortiSOAR on-premise 7.6.0 through 7.6.2, FortiSOAR on-premise 7.5.0 through 7.5.2, FortiSOAR on-premise 7.4 all versions, FortiSOAR on-premise 7.3 all versions may allow an authenticated attacker to discover services running on local ports via crafted requests.
{
"affected": [],
"aliases": [
"CVE-2025-59809"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-14T16:16:31Z",
"severity": "MODERATE"
},
"details": "A server-side request forgery (ssrf) vulnerability [CWE-918] vulnerability in Fortinet FortiSOAR PaaS 7.6.4, FortiSOAR PaaS 7.6.0 through 7.6.2, FortiSOAR PaaS 7.5.0 through 7.5.2, FortiSOAR PaaS 7.4 all versions, FortiSOAR PaaS 7.3 all versions, FortiSOAR on-premise 7.6.4, FortiSOAR on-premise 7.6.0 through 7.6.2, FortiSOAR on-premise 7.5.0 through 7.5.2, FortiSOAR on-premise 7.4 all versions, FortiSOAR on-premise 7.3 all versions may allow an authenticated attacker to discover services running on local ports via crafted requests.",
"id": "GHSA-r66p-45rw-5xc2",
"modified": "2026-04-14T18:30:34Z",
"published": "2026-04-14T18:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59809"
},
{
"type": "WEB",
"url": "https://fortiguard.fortinet.com/psirt/FG-IR-26-103"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R69X-4MJC-6RQ7
Vulnerability from github – Published: 2024-01-15 18:30 – Updated: 2024-01-22 21:31The JSM file_get_contents() Shortcode WordPress plugin before 2.7.1 does not validate one of its shortcode's parameters before making a request to it, which could allow users with contributor role and above to perform SSRF attacks.
{
"affected": [],
"aliases": [
"CVE-2023-6991"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-15T16:15:12Z",
"severity": "HIGH"
},
"details": "The JSM file_get_contents() Shortcode WordPress plugin before 2.7.1 does not validate one of its shortcode\u0027s parameters before making a request to it, which could allow users with contributor role and above to perform SSRF attacks.",
"id": "GHSA-r69x-4mjc-6rq7",
"modified": "2024-01-22T21:31:06Z",
"published": "2024-01-15T18:30:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6991"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/0b92becb-8a47-48fd-82e8-f7641cf5c9bc"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-R6J8-C6R2-37RR
Vulnerability from github – Published: 2025-12-15 00:30 – Updated: 2025-12-20 03:27A half-blind Server Side Request Forgery (SSRF) vulnerability exists in kube-controller-manager when using the in-tree Portworx StorageClass. This vulnerability allows authorized users to leak arbitrary information from unprotected endpoints in the control plane’s host network (including link-local or loopback services).
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "k8s.io/kubernetes"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.32.10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "k8s.io/kubernetes"
},
"ranges": [
{
"events": [
{
"introduced": "1.33.0-alpha.0"
},
{
"fixed": "1.33.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "k8s.io/kubernetes"
},
"ranges": [
{
"events": [
{
"introduced": "1.34.0-alpha.0"
},
{
"fixed": "1.34.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-13281"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2025-12-16T00:48:30Z",
"nvd_published_at": "2025-12-14T22:15:36Z",
"severity": "MODERATE"
},
"details": "A half-blind Server Side Request Forgery (SSRF) vulnerability exists in kube-controller-manager when using the in-tree Portworx StorageClass. This vulnerability allows authorized users to leak arbitrary information from unprotected endpoints in the control plane\u2019s host network (including link-local or loopback services).",
"id": "GHSA-r6j8-c6r2-37rr",
"modified": "2025-12-20T03:27:50Z",
"published": "2025-12-15T00:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13281"
},
{
"type": "WEB",
"url": "https://github.com/kubernetes/kubernetes/issues/135525"
},
{
"type": "WEB",
"url": "https://github.com/kubernetes/kubernetes/commit/7506ce804c20696ba32cdb72126270ceaed06e24"
},
{
"type": "WEB",
"url": "https://github.com/kubernetes/kubernetes/commit/97650c1c4fe15cbb7756ba95b3edc8a8665063ca"
},
{
"type": "WEB",
"url": "https://github.com/kubernetes/kubernetes/commit/dbe17dfe7773563eac95534040f413ada6d2b421"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-r6j8-c6r2-37rr"
},
{
"type": "PACKAGE",
"url": "https://github.com/kubernetes/kubernetes"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/kubernetes-security-announce/c/EORqZg0k1l4/m/TtD-q0v7AgAJ"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2025/12/01/4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "kube-controller-manager is vulnerable to half-blind Server Side Request Forgery through in-tree Portworx StorageClass"
}
GHSA-R6JG-JFV6-2FJV
Vulnerability from github – Published: 2025-01-16 19:35 – Updated: 2025-08-20 17:40Impact
Matrix Media Repo (MMR) is vulnerable to server-side request forgery, serving content from a private network it can access, under certain conditions.
Patches
This is fixed in MMR v1.3.8.
Workarounds
Restricting which hosts MMR is allowed to contact via (local) firewall rules or a transparent proxy.
References
https://owasp.org/www-community/attacks/Server_Side_Request_Forgery https://learn.snyk.io/lesson/ssrf-server-side-request-forgery/ https://www.agwa.name/blog/post/preventing_server_side_request_forgery_in_golang
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.3.7"
},
"package": {
"ecosystem": "Go",
"name": "github.com/t2bot/matrix-media-repo"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.3.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-52602"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2025-01-16T19:35:02Z",
"nvd_published_at": "2025-01-16T20:15:32Z",
"severity": "MODERATE"
},
"details": "### Impact\nMatrix Media Repo (MMR) is vulnerable to server-side request forgery, serving content from a private network it can access, under certain conditions.\n\n### Patches\nThis is fixed in [MMR v1.3.8](https://github.com/t2bot/matrix-media-repo/releases/tag/v1.3.8).\n\n### Workarounds\nRestricting which hosts MMR is allowed to contact via (local) firewall rules or a transparent proxy.\n\n### References\nhttps://owasp.org/www-community/attacks/Server_Side_Request_Forgery\nhttps://learn.snyk.io/lesson/ssrf-server-side-request-forgery/\nhttps://www.agwa.name/blog/post/preventing_server_side_request_forgery_in_golang",
"id": "GHSA-r6jg-jfv6-2fjv",
"modified": "2025-08-20T17:40:09Z",
"published": "2025-01-16T19:35:02Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/t2bot/matrix-media-repo/security/advisories/GHSA-r6jg-jfv6-2fjv"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52602"
},
{
"type": "PACKAGE",
"url": "https://github.com/t2bot/matrix-media-repo"
},
{
"type": "WEB",
"url": "https://github.com/t2bot/matrix-media-repo/releases/tag/v1.3.8"
},
{
"type": "WEB",
"url": "https://learn.snyk.io/lesson/ssrf-server-side-request-forgery"
},
{
"type": "WEB",
"url": "https://owasp.org/www-community/attacks/Server_Side_Request_Forgery"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2025-3399"
},
{
"type": "WEB",
"url": "https://www.agwa.name/blog/post/preventing_server_side_request_forgery_in_golang"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Matrix Media Repo (MMR) allows Server-Side Request Forgery (SSRF) on redirects and federation"
}
GHSA-R6M2-CJ32-WG84
Vulnerability from github – Published: 2023-10-09 09:30 – Updated: 2024-02-01 03:30The web interface of ATX Ucrypt through 3.5 allows authenticated users (or attackers using default credentials for the admin, master, or user account) to include files via a URL in the /hydra/view/get_cc_url url parameter. There can be resultant SSRF.
{
"affected": [],
"aliases": [
"CVE-2023-39854"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-10-09T07:15:24Z",
"severity": "MODERATE"
},
"details": "The web interface of ATX Ucrypt through 3.5 allows authenticated users (or attackers using default credentials for the admin, master, or user account) to include files via a URL in the /hydra/view/get_cc_url url parameter. There can be resultant SSRF.",
"id": "GHSA-r6m2-cj32-wg84",
"modified": "2024-02-01T03:30:22Z",
"published": "2023-10-09T09:30:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39854"
},
{
"type": "WEB",
"url": "https://wiki.notveg.ninja/blog/CVE-2023-39854"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R6M7-VHGH-X9QF
Vulnerability from github – Published: 2026-03-05 06:30 – Updated: 2026-03-05 21:30Server-Side Request Forgery (SSRF) vulnerability in SkatDesign Ratatouille ratatouille allows Server Side Request Forgery.This issue affects Ratatouille: from n/a through <= 1.2.6.
{
"affected": [],
"aliases": [
"CVE-2026-28036"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-05T06:16:36Z",
"severity": "MODERATE"
},
"details": "Server-Side Request Forgery (SSRF) vulnerability in SkatDesign Ratatouille ratatouille allows Server Side Request Forgery.This issue affects Ratatouille: from n/a through \u003c= 1.2.6.",
"id": "GHSA-r6m7-vhgh-x9qf",
"modified": "2026-03-05T21:30:43Z",
"published": "2026-03-05T06:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28036"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Theme/ratatouille/vulnerability/wordpress-ratatouille-theme-1-2-6-server-side-request-forgery-ssrf-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R747-33R4-RMJW
Vulnerability from github – Published: 2026-05-06 21:31 – Updated: 2026-05-11 16:12Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-c4qg-j8jg-42q5. This link is maintained to preserve external references.
Original Description
OpenClaw before 2026.4.20 contains a server-side request forgery vulnerability in QQBot direct media upload that skips URL validation. Attackers can bypass SSRF protections by sending crafted image URLs to uploadC2CMedia and uploadGroupMedia endpoints to relay unintended requests.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.4.20"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-11T16:12:55Z",
"nvd_published_at": "2026-05-06T20:16:35Z",
"severity": "MODERATE"
},
"details": "### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-c4qg-j8jg-42q5. This link is maintained to preserve external references.\n\n### Original Description\nOpenClaw before 2026.4.20 contains a server-side request forgery vulnerability in QQBot direct media upload that skips URL validation. Attackers can bypass SSRF protections by sending crafted image URLs to uploadC2CMedia and uploadGroupMedia endpoints to relay unintended requests.",
"id": "GHSA-r747-33r4-rmjw",
"modified": "2026-05-11T16:12:55Z",
"published": "2026-05-06T21:31:42Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-c4qg-j8jg-42q5"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44117"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/49db424c8001f2f419aad85f434894d8d85c1a09"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/openclaw-server-side-request-forgery-in-qqbot-direct-media-upload"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
],
"summary": "Duplicate Advisory: OpenClaw: QQBot direct media upload skipped URL SSRF validation",
"withdrawn": "2026-05-11T16:12:55Z"
}
GHSA-R7M8-874R-4G5V
Vulnerability from github – Published: 2026-03-30 21:31 – Updated: 2026-03-30 21:31Invoice Ninja v5.12.46 and v5.12.48 is vulnerable to Server-Side Request Forgery (SSRF) in CheckDatabaseRequest.php.
{
"affected": [],
"aliases": [
"CVE-2026-29925"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-30T19:16:24Z",
"severity": "HIGH"
},
"details": "Invoice Ninja v5.12.46 and v5.12.48 is vulnerable to Server-Side Request Forgery (SSRF) in CheckDatabaseRequest.php.",
"id": "GHSA-r7m8-874r-4g5v",
"modified": "2026-03-30T21:31:04Z",
"published": "2026-03-30T21:31:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29925"
},
{
"type": "WEB",
"url": "https://gist.github.com/TrekLaps/5b2c72106d950dab0cd1897eb93200f1"
},
{
"type": "WEB",
"url": "https://github.com/invoiceninja/invoiceninja/blob/v5-stable/app/Http/Requests/Setup/CheckDatabaseRequest.php"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R7QF-PRJ4-7JHP
Vulnerability from github – Published: 2022-05-14 03:38 – Updated: 2022-05-14 03:38A Server Side Request Forgery vulnerability exists in the install app process in Sandstorm before build 0.203. A remote attacker may exploit this issue by providing a URL. It could bypass access control such as firewalls that prevent the attackers from accessing the URLs directly.
{
"affected": [],
"aliases": [
"CVE-2017-6201"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-02-06T16:29:00Z",
"severity": "HIGH"
},
"details": "A Server Side Request Forgery vulnerability exists in the install app process in Sandstorm before build 0.203. A remote attacker may exploit this issue by providing a URL. It could bypass access control such as firewalls that prevent the attackers from accessing the URLs directly.",
"id": "GHSA-r7qf-prj4-7jhp",
"modified": "2022-05-14T03:38:26Z",
"published": "2022-05-14T03:38:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-6201"
},
{
"type": "WEB",
"url": "https://github.com/sandstorm-io/sandstorm/commit/164997fb958effbc90c5328c166706280a84aaa1"
},
{
"type": "WEB",
"url": "https://devco.re/blog/2018/01/26/Sandstorm-Security-Review-CVE-2017-6200-en"
},
{
"type": "WEB",
"url": "https://sandstorm.io/news/2017-03-02-security-review"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R7W5-7G5J-XMXJ
Vulnerability from github – Published: 2023-10-23 21:30 – Updated: 2024-04-04 08:53umputun remark42 version 1.12.1 and before has a Blind Server-Side Request Forgery (SSRF) vulnerability.
{
"affected": [],
"aliases": [
"CVE-2023-45966"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-10-23T21:15:08Z",
"severity": "HIGH"
},
"details": "umputun remark42 version 1.12.1 and before has a Blind Server-Side Request Forgery (SSRF) vulnerability.",
"id": "GHSA-r7w5-7g5j-xmxj",
"modified": "2024-04-04T08:53:37Z",
"published": "2023-10-23T21:30:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45966"
},
{
"type": "WEB",
"url": "https://github.com/umputun/remark42/issues/1677"
},
{
"type": "WEB",
"url": "https://github.com/jet-pentest/CVE-2023-45966"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
CAPEC-664: Server Side Request Forgery
An adversary exploits improper input validation by submitting maliciously crafted input to a target application running on a server, with the goal of forcing the server to make a request either to itself, to web services running in the server’s internal network, or to external third parties. If successful, the adversary’s request will be made with the server’s privilege level, bypassing its authentication controls. This ultimately allows the adversary to access sensitive data, execute commands on the server’s network, and make external requests with the stolen identity of the server. Server Side Request Forgery attacks differ from Cross Site Request Forgery attacks in that they target the server itself, whereas CSRF attacks exploit an insecure user authentication mechanism to perform unauthorized actions on the user's behalf.