CWE-918
AllowedServer-Side Request Forgery (SSRF)
Abstraction: Base · Status: Incomplete
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
4606 vulnerabilities reference this CWE, most recent first.
GHSA-XP5X-9H6P-Q3RF
Vulnerability from github – Published: 2022-01-29 00:00 – Updated: 2022-02-04 00:00A CWE-918 Server-Side Request Forgery (SSRF) vulnerability exists that could cause the station web server to forward requests to unintended network targets when crafted malicious parameters are submitted to the charging station web server. Affected Products: EVlink City EVC1S22P4 / EVC1S7P4 (All versions prior to R8 V3.4.0.2 ), EVlink Parking EVW2 / EVF2 / EVP2PE (All versions prior to R8 V3.4.0.2), and EVlink Smart Wallbox EVB1A (All versions prior to R8 V3.4.0.2)
{
"affected": [],
"aliases": [
"CVE-2021-22821"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-01-28T20:15:00Z",
"severity": "HIGH"
},
"details": "A CWE-918 Server-Side Request Forgery (SSRF) vulnerability exists that could cause the station web server to forward requests to unintended network targets when crafted malicious parameters are submitted to the charging station web server. Affected Products: EVlink City EVC1S22P4 / EVC1S7P4 (All versions prior to R8 V3.4.0.2 ), EVlink Parking EVW2 / EVF2 / EVP2PE (All versions prior to R8 V3.4.0.2), and EVlink Smart Wallbox EVB1A (All versions prior to R8 V3.4.0.2)",
"id": "GHSA-xp5x-9h6p-q3rf",
"modified": "2022-02-04T00:00:44Z",
"published": "2022-01-29T00:00:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22821"
},
{
"type": "WEB",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-348-02"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-XPFQ-G4P2-QQQF
Vulnerability from github – Published: 2022-01-11 00:01 – Updated: 2022-01-15 00:03peertube is vulnerable to Server-Side Request Forgery (SSRF)
{
"affected": [],
"aliases": [
"CVE-2022-0132"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-01-10T14:12:00Z",
"severity": "HIGH"
},
"details": "peertube is vulnerable to Server-Side Request Forgery (SSRF)",
"id": "GHSA-xpfq-g4p2-qqqf",
"modified": "2022-01-15T00:03:25Z",
"published": "2022-01-11T00:01:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0132"
},
{
"type": "WEB",
"url": "https://github.com/chocobozzz/peertube/commit/7b54a81cccf6b4c12269e9d6897d608b1a99537a"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/77ec5308-5561-4664-af21-d780df2d1e4b"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-XPFW-QH9X-F6C7
Vulnerability from github – Published: 2025-09-19 21:31 – Updated: 2025-09-19 21:31StorageGRID (formerly StorageGRID Webscale) versions prior to 11.8.0.15 and 11.9.0.8 without Single Sign-on enabled are susceptible to a Server-Side Request Forgery (SSRF) vulnerability. Successful exploit could allow an unauthenticated attacker to change the password of any Grid Manager or Tenant Manager non-federated user.
{
"affected": [],
"aliases": [
"CVE-2025-26515"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-19T19:15:38Z",
"severity": "HIGH"
},
"details": "StorageGRID (formerly \nStorageGRID Webscale) versions prior to 11.8.0.15 and 11.9.0.8 without \nSingle Sign-on enabled are susceptible to a Server-Side Request Forgery \n(SSRF) vulnerability. Successful exploit could allow an unauthenticated \nattacker to change the password of any Grid Manager or Tenant Manager \nnon-federated user.",
"id": "GHSA-xpfw-qh9x-f6c7",
"modified": "2025-09-19T21:31:17Z",
"published": "2025-09-19T21:31:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-26515"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/NTAP-20250910-0002"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XPPR-6C99-HP78
Vulnerability from github – Published: 2024-05-15 18:30 – Updated: 2025-01-21 18:31Server Side Request Forgery vulnerability has been discovered in OpenText™ iManager 3.2.6.0200. This could lead to senstive information disclosure by directory traversal.
{
"affected": [],
"aliases": [
"CVE-2024-3970"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-15T17:15:15Z",
"severity": "MODERATE"
},
"details": "Server Side Request Forgery vulnerability\u00a0has been discovered in OpenText\u2122 iManager 3.2.6.0200. This\ncould lead to senstive information disclosure by directory traversal.",
"id": "GHSA-xppr-6c99-hp78",
"modified": "2025-01-21T18:31:03Z",
"published": "2024-05-15T18:30:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3970"
},
{
"type": "WEB",
"url": "https://www.netiq.com/documentation/imanager-32/imanager326_patch3_hf1_releasenotes/data/imanager326_patch3_hf1_releasenotes.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XPV6-XWMP-4M43
Vulnerability from github – Published: 2026-05-13 21:32 – Updated: 2026-07-14 18:31A server-side request forgery (SSRF) vulnerability in the IKEv2 implementation of Palo Alto Networks PAN-OS® software allows an unauthenticated attacker to cause the firewall to send network requests to unintended destinations or cause a denial of service (DoS) condition.
Panorama, Cloud NGFW and Prisma® Access are not impacted by these vulnerabilities.
{
"affected": [],
"aliases": [
"CVE-2026-0258"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-13T19:17:01Z",
"severity": "MODERATE"
},
"details": "A server-side request forgery (SSRF) vulnerability in the IKEv2 implementation of Palo Alto Networks PAN-OS\u00ae software allows an unauthenticated attacker to cause the firewall to send network requests to unintended destinations or cause a denial of service (DoS) condition.\n\n\n\nPanorama, Cloud NGFW and Prisma\u00ae Access are not impacted by these vulnerabilities.",
"id": "GHSA-xpv6-xwmp-4m43",
"modified": "2026-07-14T18:31:46Z",
"published": "2026-05-13T21:32:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0258"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-967325.html"
},
{
"type": "WEB",
"url": "https://security.paloaltonetworks.com/CVE-2026-0258"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:C/RE:H/U:Amber",
"type": "CVSS_V4"
}
]
}
GHSA-XPVP-WH4V-PPC2
Vulnerability from github – Published: 2022-05-24 19:07 – Updated: 2022-05-24 19:07A server side request forgery (SSRF) vulnerability in /ApiAdminDomainSettings.php of MipCMS 5.0.1 allows attackers to access sensitive information.
{
"affected": [],
"aliases": [
"CVE-2020-20582"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-07-08T16:15:00Z",
"severity": "HIGH"
},
"details": "A server side request forgery (SSRF) vulnerability in /ApiAdminDomainSettings.php of MipCMS 5.0.1 allows attackers to access sensitive information.",
"id": "GHSA-xpvp-wh4v-ppc2",
"modified": "2022-05-24T19:07:14Z",
"published": "2022-05-24T19:07:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-20582"
},
{
"type": "WEB",
"url": "https://github.com/sansanyun/mipcms5/issues/5"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-XPWP-RQ3X-X6V7
Vulnerability from github – Published: 2018-10-16 17:35 – Updated: 2020-06-16 22:03The Recurly Client .NET Library before 1.0.1, 1.1.10, 1.2.8, 1.3.2, 1.4.14, 1.5.3, 1.6.2, 1.7.1, 1.8.1 is vulnerable to a Server-Side Request Forgery vulnerability due to incorrect use of "Uri.EscapeUriString" that could result in compromise of API keys or other critical resources.
{
"affected": [
{
"package": {
"ecosystem": "NuGet",
"name": "recurly-api-client"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "recurly-api-client"
},
"ranges": [
{
"events": [
{
"introduced": "1.1.0"
},
{
"fixed": "1.1.10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "recurly-api-client"
},
"ranges": [
{
"events": [
{
"introduced": "1.2.0"
},
{
"fixed": "1.2.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "recurly-api-client"
},
"ranges": [
{
"events": [
{
"introduced": "1.3.0"
},
{
"fixed": "1.3.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "recurly-api-client"
},
"ranges": [
{
"events": [
{
"introduced": "1.4.0"
},
{
"fixed": "1.4.14"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "recurly-api-client"
},
"ranges": [
{
"events": [
{
"introduced": "1.5.0"
},
{
"fixed": "1.5.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "recurly-api-client"
},
"ranges": [
{
"events": [
{
"introduced": "1.6.0"
},
{
"fixed": "1.6.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "recurly-api-client"
},
"ranges": [
{
"events": [
{
"introduced": "1.7.0"
},
{
"fixed": "1.7.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.7.0"
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "recurly-api-client"
},
"ranges": [
{
"events": [
{
"introduced": "1.8.0"
},
{
"fixed": "1.8.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.8.0"
]
}
],
"aliases": [
"CVE-2017-0907"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T22:03:58Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "The Recurly Client .NET Library before 1.0.1, 1.1.10, 1.2.8, 1.3.2, 1.4.14, 1.5.3, 1.6.2, 1.7.1, 1.8.1 is vulnerable to a Server-Side Request Forgery vulnerability due to incorrect use of \"Uri.EscapeUriString\" that could result in compromise of API keys or other critical resources.",
"id": "GHSA-xpwp-rq3x-x6v7",
"modified": "2020-06-16T22:03:58Z",
"published": "2018-10-16T17:35:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-0907"
},
{
"type": "WEB",
"url": "https://github.com/recurly/recurly-client-net/commit/9eef460c0084afd5c24d66220c8b7a381cf9a1f1"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/288635"
},
{
"type": "WEB",
"url": "https://dev.recurly.com/page/net-updates"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-xpwp-rq3x-x6v7"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Critical severity vulnerability that affects recurly-api-client"
}
GHSA-XQ32-9G7Q-7297
Vulnerability from github – Published: 2026-05-21 20:42 – Updated: 2026-05-21 20:42Summary
A Server-Side Request Forgery (SSRF) vulnerability in get_image_info() allows any authenticated user to force the server to send HTTP requests to arbitrary internal endpoints, including cloud metadata services (e.g., AWS 169.254.169.254). This is a blind SSRF with confirmed internal port scanning and internal API triggering capabilities. CVSS 6.5 Medium.
Details
In flaskbb/utils/helpers.py (line 571), the url parameter is passed directly to requests.get(url, stream=True) without any validation of scheme, host, or IP address.
python# flaskbb/utils/helpers.py:571
def get_image_info(url: str):
r = requests.get(url, timeout=(3.05, 27), stream=True)
Attack chain:
POST /user/settings/user-details (avatar URL)
→ ValidateAvatarURL.validate() # validators.py:103
→ check_image(avatar) # helpers.py:628
→ get_image_info(url) # helpers.py:571
→ requests.get(url) # No domain/IP restriction
Entry points:
/user/settings/user-details (any authenticated user)
/admin/users/<id>/edit (admin only)
PoC
Log in to FlaskBB as any user Navigate to Settings → User Details Enter http://169.254.169.254/latest/meta-data/ as the avatar URL Submit the form The server sends a GET request to the internal metadata endpoint
Three exploitation channels confirmed:
Server-side request: Captured on mock metadata server Internal port scan: check_image() returns distinct errors (CONN_REFUSED, NO_CONTENT_LENGTH, TYPE_NOT_ALLOWED, SUCCESS) that map internal network topology Internal API triggering: Mock APIs on 127.0.0.1:9200 triggered via SSRF (deploy, shutdown, key dump endpoints)
Impact
Any authenticated user is impacted. Attackers can force the server to request internal services, cloud metadata endpoints, or private network resources. On cloud deployments (AWS/GCP/Azure), IAM credentials can be leaked. In production, any GET-triggered internal service is reachable: CI/CD webhooks, Elasticsearch, etcd, Consul, etc.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "flaskbb"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2.2.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-46556"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-21T20:42:09Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "###Summary\nA Server-Side Request Forgery (SSRF) vulnerability in get_image_info() allows any authenticated user to force the server to send HTTP requests to arbitrary internal endpoints, including cloud metadata services (e.g., AWS 169.254.169.254). This is a blind SSRF with confirmed internal port scanning and internal API triggering capabilities. CVSS 6.5 Medium.\n\n###Details\nIn flaskbb/utils/helpers.py (line 571), the url parameter is passed directly to requests.get(url, stream=True) without any validation of scheme, host, or IP address.\n```\npython# flaskbb/utils/helpers.py:571\ndef get_image_info(url: str):\n r = requests.get(url, timeout=(3.05, 27), stream=True)\n```\n\nAttack chain:\n\n```\nPOST /user/settings/user-details (avatar URL)\n\u2192 ValidateAvatarURL.validate() # validators.py:103\n\u2192 check_image(avatar) # helpers.py:628\n\u2192 get_image_info(url) # helpers.py:571\n\u2192 requests.get(url) # No domain/IP restriction\nEntry points:\n\n/user/settings/user-details (any authenticated user)\n/admin/users/\u003cid\u003e/edit (admin only)\n\n```\n\n###PoC\n[submit.zip](https://github.com/user-attachments/files/26301527/submit.zip)\n\nLog in to FlaskBB as any user\nNavigate to Settings \u2192 User Details\nEnter http://169.254.169.254/latest/meta-data/ as the avatar URL\nSubmit the form\nThe server sends a GET request to the internal metadata endpoint\n\nThree exploitation channels confirmed:\n\nServer-side request: Captured on mock metadata server\nInternal port scan: check_image() returns distinct errors (CONN_REFUSED, NO_CONTENT_LENGTH, TYPE_NOT_ALLOWED, SUCCESS) that map internal network topology\nInternal API triggering: Mock APIs on 127.0.0.1:9200 triggered via SSRF (deploy, shutdown, key dump endpoints)\n\n###Impact\nAny authenticated user is impacted. Attackers can force the server to request internal services, cloud metadata endpoints, or private network resources. On cloud deployments (AWS/GCP/Azure), IAM credentials can be leaked. In production, any GET-triggered internal service is reachable: CI/CD webhooks, Elasticsearch, etcd, Consul, etc.",
"id": "GHSA-xq32-9g7q-7297",
"modified": "2026-05-21T20:42:09Z",
"published": "2026-05-21T20:42:09Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/flaskbb/flaskbb/security/advisories/GHSA-xq32-9g7q-7297"
},
{
"type": "PACKAGE",
"url": "https://github.com/flaskbb/flaskbb"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "FlaskBB: SSRF in get_image_info() via unrestricted avatar URL"
}
GHSA-XQ36-JHC6-FXW2
Vulnerability from github – Published: 2024-02-29 09:30 – Updated: 2024-02-29 09:30The Friends plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.8.5 via the discover_available_feeds function. This makes it possible for authenticated attackers, with administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
{
"affected": [],
"aliases": [
"CVE-2024-1978"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-29T07:15:06Z",
"severity": "MODERATE"
},
"details": "The Friends plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.8.5 via the discover_available_feeds function. This makes it possible for authenticated attackers, with administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.",
"id": "GHSA-xq36-jhc6-fxw2",
"modified": "2024-02-29T09:30:34Z",
"published": "2024-02-29T09:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1978"
},
{
"type": "WEB",
"url": "https://github.com/akirk/friends/pull/290"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3036987%40friends\u0026new=3036987%40friends\u0026sfp_email=\u0026sfph_mail="
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/72e1fbce-86ae-4518-a613-7c322193acf4?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XQ3X-7W9J-26JF
Vulnerability from github – Published: 2022-05-14 01:32 – Updated: 2022-05-14 01:32com/wavemaker/studio/StudioService.java in WaveMaker Studio 6.6 mishandles the studioService.download?method=getContent&inUrl= value, leading to disclosure of local files and SSRF.
{
"affected": [],
"aliases": [
"CVE-2019-8982"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-02-21T14:29:00Z",
"severity": "CRITICAL"
},
"details": "com/wavemaker/studio/StudioService.java in WaveMaker Studio 6.6 mishandles the studioService.download?method=getContent\u0026inUrl= value, leading to disclosure of local files and SSRF.",
"id": "GHSA-xq3x-7w9j-26jf",
"modified": "2022-05-14T01:32:47Z",
"published": "2022-05-14T01:32:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-8982"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/45158"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
CAPEC-664: Server Side Request Forgery
An adversary exploits improper input validation by submitting maliciously crafted input to a target application running on a server, with the goal of forcing the server to make a request either to itself, to web services running in the server’s internal network, or to external third parties. If successful, the adversary’s request will be made with the server’s privilege level, bypassing its authentication controls. This ultimately allows the adversary to access sensitive data, execute commands on the server’s network, and make external requests with the stolen identity of the server. Server Side Request Forgery attacks differ from Cross Site Request Forgery attacks in that they target the server itself, whereas CSRF attacks exploit an insecure user authentication mechanism to perform unauthorized actions on the user's behalf.