CWE-918
AllowedServer-Side Request Forgery (SSRF)
Abstraction: Base · Status: Incomplete
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
4640 vulnerabilities reference this CWE, most recent first.
CVE-2026-20230 (GCVE-0-2026-20230)
Vulnerability from cvelistv5 – Published: 2026-06-03 16:09 – Updated: 2026-07-01 16:28- CWE-918 - Server-Side Request Forgery (SSRF)
| URL | Tags |
|---|---|
| https://sec.cloudapps.cisco.com/security/center/c… | |
| https://denizhalil.com/2026/06/12/cve-2026-20230-… | exploit |
| https://www.cisa.gov/known-exploited-vulnerabilit… | government-resource |
| Vendor | Product | Version | |
|---|---|---|---|
| Cisco | Cisco Unified Communications Manager |
Affected:
14
Affected: 14SU1 Affected: 14SU2 Affected: 14SU3 Affected: 15 Affected: 15SU1 Affected: 14SU4 Affected: 14SU4a Affected: 15SU1a Affected: 15SU2 Affected: 15.0.1.13010-1 Affected: 15.0.1.13011-1 Affected: 15.0.1.13012-1 Affected: 15.0.1.13013-1 Affected: 15.0.1.13014-1 Affected: 15.0.1.13015-1 Affected: 15.0.1.13016-1 Affected: 15.0.1.13017-1 Affected: 15SU3a Affected: 14SU5 Affected: 15SU4 Affected: 15SU4a |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-20230",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-03T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-26T03:55:19.730Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://denizhalil.com/2026/06/12/cve-2026-20230-cisco-unified-cm-ssrf/"
},
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-20230"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Cisco Unified Communications Manager",
"vendor": "Cisco",
"versions": [
{
"status": "affected",
"version": "14"
},
{
"status": "affected",
"version": "14SU1"
},
{
"status": "affected",
"version": "14SU2"
},
{
"status": "affected",
"version": "14SU3"
},
{
"status": "affected",
"version": "15"
},
{
"status": "affected",
"version": "15SU1"
},
{
"status": "affected",
"version": "14SU4"
},
{
"status": "affected",
"version": "14SU4a"
},
{
"status": "affected",
"version": "15SU1a"
},
{
"status": "affected",
"version": "15SU2"
},
{
"status": "affected",
"version": "15.0.1.13010-1"
},
{
"status": "affected",
"version": "15.0.1.13011-1"
},
{
"status": "affected",
"version": "15.0.1.13012-1"
},
{
"status": "affected",
"version": "15.0.1.13013-1"
},
{
"status": "affected",
"version": "15.0.1.13014-1"
},
{
"status": "affected",
"version": "15.0.1.13015-1"
},
{
"status": "affected",
"version": "15.0.1.13016-1"
},
{
"status": "affected",
"version": "15.0.1.13017-1"
},
{
"status": "affected",
"version": "15SU3a"
},
{
"status": "affected",
"version": "14SU5"
},
{
"status": "affected",
"version": "15SU4"
},
{
"status": "affected",
"version": "15SU4a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an unauthenticated, remote attacker to conduct server-side request forgery (SSRF) attacks through an affected device.\r\n\r\nThis vulnerability is due to improper input validation for specific HTTP requests. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to write files to the underlying operating system that could be used later to elevate to root.\r\nNote: Cisco has assigned this security advisory a Security Impact Rating (SIR) of Critical rather than High as the score indicates. The reason is that exploitation of this vulnerability could result in an attacker elevating privileges to root.\r\nNote: To exploit this vulnerability, the WebDialer service must be enabled. WebDialer is disabled by default."
}
],
"exploits": [
{
"lang": "en",
"value": "The Cisco PSIRT is aware that proof-of-concept exploit code is available for the vulnerability that is described in this advisory.\r\n\r\nIn June 2026, the Cisco PSIRT became aware of active exploitation of this vulnerability. Cisco continues to strongly recommend that customers upgrade to a fixed software release to remediate this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
},
"format": "cvssV3_1"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "cwe"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T16:28:16.838Z",
"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"shortName": "cisco"
},
"references": [
{
"name": "cisco-sa-cucm-ssrf-cXPnHcW",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-ssrf-cXPnHcW"
}
],
"source": {
"advisory": "cisco-sa-cucm-ssrf-cXPnHcW",
"defects": [
"CSCws67331"
],
"discovery": "EXTERNAL"
},
"title": "Cisco Unified Communications Manager Server-Side Request Forgery Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"assignerShortName": "cisco",
"cveId": "CVE-2026-20230",
"datePublished": "2026-06-03T16:09:45.961Z",
"dateReserved": "2025-10-08T11:59:15.399Z",
"dateUpdated": "2026-07-01T16:28:16.838Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-20041 (GCVE-0-2026-20041)
Vulnerability from cvelistv5 – Published: 2026-04-01 16:27 – Updated: 2026-04-01 18:13- CWE-918 - Server-Side Request Forgery (SSRF)
| Vendor | Product | Version | |
|---|---|---|---|
| Cisco | Cisco Nexus Dashboard |
Affected:
1.1(3e)
Affected: 1.1(3c) Affected: 1.1(3d) Affected: 1.1(0d) Affected: 1.1(2i) Affected: 2.0(1b) Affected: 1.1(2h) Affected: 1.1(0c) Affected: 1.1(3f) Affected: 2.1(1d) Affected: 2.1(1e) Affected: 2.0(2g) Affected: 2.0(2h) Affected: 2.1(2d) Affected: 2.0(1d) Affected: 2.2(1h) Affected: 2.2(1e) Affected: 2.2(2d) Affected: 2.1(2f) Affected: 2.3(1c) Affected: 2.3(2b) Affected: 2.3(2c) Affected: 2.3(2d) Affected: 2.3(2e) Affected: 3.0(1f) Affected: 3.0(1i) Affected: 3.1(1k) Affected: 3.1(1l) Affected: 3.2(1e) Affected: 3.2(1i) Affected: 3.3(1a) Affected: 3.3(1b) Affected: 3.3(2b) Affected: 4.0(1i) Affected: 3.3(2g) Affected: 3.2(2f) Affected: 3.2(2g) Affected: 3.2(2m) Affected: 3.1(1n) Affected: 4.1(1g) |
|
| Cisco | Cisco Nexus Dashboard Insights |
Affected:
2.2.2.125
Affected: 2.2.2.126 Affected: 5.0.1.150 Affected: 5.0.1.154 Affected: 5.1.0.131 Affected: 5.1.0.135 Affected: 6.0.1 Affected: 6.0.2 Affected: 6.1.1 Affected: 6.1.2 Affected: 6.1.3 Affected: 6.2.1 Affected: 6.2.2 Affected: 6.3.1 Affected: 6.4.1 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-20041",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-01T18:13:09.025281Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T18:13:15.076Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Cisco Nexus Dashboard",
"vendor": "Cisco",
"versions": [
{
"status": "affected",
"version": "1.1(3e)"
},
{
"status": "affected",
"version": "1.1(3c)"
},
{
"status": "affected",
"version": "1.1(3d)"
},
{
"status": "affected",
"version": "1.1(0d)"
},
{
"status": "affected",
"version": "1.1(2i)"
},
{
"status": "affected",
"version": "2.0(1b)"
},
{
"status": "affected",
"version": "1.1(2h)"
},
{
"status": "affected",
"version": "1.1(0c)"
},
{
"status": "affected",
"version": "1.1(3f)"
},
{
"status": "affected",
"version": "2.1(1d)"
},
{
"status": "affected",
"version": "2.1(1e)"
},
{
"status": "affected",
"version": "2.0(2g)"
},
{
"status": "affected",
"version": "2.0(2h)"
},
{
"status": "affected",
"version": "2.1(2d)"
},
{
"status": "affected",
"version": "2.0(1d)"
},
{
"status": "affected",
"version": "2.2(1h)"
},
{
"status": "affected",
"version": "2.2(1e)"
},
{
"status": "affected",
"version": "2.2(2d)"
},
{
"status": "affected",
"version": "2.1(2f)"
},
{
"status": "affected",
"version": "2.3(1c)"
},
{
"status": "affected",
"version": "2.3(2b)"
},
{
"status": "affected",
"version": "2.3(2c)"
},
{
"status": "affected",
"version": "2.3(2d)"
},
{
"status": "affected",
"version": "2.3(2e)"
},
{
"status": "affected",
"version": "3.0(1f)"
},
{
"status": "affected",
"version": "3.0(1i)"
},
{
"status": "affected",
"version": "3.1(1k)"
},
{
"status": "affected",
"version": "3.1(1l)"
},
{
"status": "affected",
"version": "3.2(1e)"
},
{
"status": "affected",
"version": "3.2(1i)"
},
{
"status": "affected",
"version": "3.3(1a)"
},
{
"status": "affected",
"version": "3.3(1b)"
},
{
"status": "affected",
"version": "3.3(2b)"
},
{
"status": "affected",
"version": "4.0(1i)"
},
{
"status": "affected",
"version": "3.3(2g)"
},
{
"status": "affected",
"version": "3.2(2f)"
},
{
"status": "affected",
"version": "3.2(2g)"
},
{
"status": "affected",
"version": "3.2(2m)"
},
{
"status": "affected",
"version": "3.1(1n)"
},
{
"status": "affected",
"version": "4.1(1g)"
}
]
},
{
"defaultStatus": "unknown",
"product": "Cisco Nexus Dashboard Insights",
"vendor": "Cisco",
"versions": [
{
"status": "affected",
"version": "2.2.2.125"
},
{
"status": "affected",
"version": "2.2.2.126"
},
{
"status": "affected",
"version": "5.0.1.150"
},
{
"status": "affected",
"version": "5.0.1.154"
},
{
"status": "affected",
"version": "5.1.0.131"
},
{
"status": "affected",
"version": "5.1.0.135"
},
{
"status": "affected",
"version": "6.0.1"
},
{
"status": "affected",
"version": "6.0.2"
},
{
"status": "affected",
"version": "6.1.1"
},
{
"status": "affected",
"version": "6.1.2"
},
{
"status": "affected",
"version": "6.1.3"
},
{
"status": "affected",
"version": "6.2.1"
},
{
"status": "affected",
"version": "6.2.2"
},
{
"status": "affected",
"version": "6.3.1"
},
{
"status": "affected",
"version": "6.4.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in Cisco Nexus Dashboard and Cisco Nexus Dashboard Insights could allow an unauthenticated, remote attacker to conduct a server-side request forgery (SSRF) attack through an affected device.\r\n\r\nThis vulnerability is due to improper input validation for specific HTTP requests. An attacker could exploit this vulnerability by persuading an authenticated user of the device management interface to click a crafted link. A successful exploit could allow the attacker to send arbitrary network requests that are sourced from the affected device to an attacker-controlled server. The attacker could then execute arbitrary script code in the context of the affected interface or access sensitive browser-based information."
}
],
"exploits": [
{
"lang": "en",
"value": "The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "cvssV3_1"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "cwe"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T16:27:49.961Z",
"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"shortName": "cisco"
},
"references": [
{
"name": "cisco-sa-nd-ssrf-NAen4O7r",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nd-ssrf-NAen4O7r"
}
],
"source": {
"advisory": "cisco-sa-nd-ssrf-NAen4O7r",
"defects": [
"CSCwq47518"
],
"discovery": "INTERNAL"
},
"title": "Cisco Nexus Dashboard Server Side Request Forgery Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"assignerShortName": "cisco",
"cveId": "CVE-2026-20041",
"datePublished": "2026-04-01T16:27:49.961Z",
"dateReserved": "2025-10-08T11:59:15.354Z",
"dateUpdated": "2026-04-01T18:13:15.076Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-20035 (GCVE-0-2026-20035)
Vulnerability from cvelistv5 – Published: 2026-05-06 16:15 – Updated: 2026-05-06 17:27- CWE-918 - Server-Side Request Forgery (SSRF)
| Vendor | Product | Version | |
|---|---|---|---|
| Cisco | Cisco Unity Connection |
Affected:
12.5(1)
Affected: 12.5(1)SU1 Affected: 12.5(1)SU2 Affected: 12.5(1)SU3 Affected: 12.5(1)SU4 Affected: 14 Affected: 12.5(1)SU5 Affected: 14SU1 Affected: 12.5(1)SU6 Affected: 14SU2 Affected: 12.5(1)SU7 Affected: 14SU3 Affected: 12.5(1)SU8 Affected: 14SU3a Affected: 12.5(1)SU8a Affected: 15 Affected: 15SU1 Affected: 14SU4 Affected: 12.5(1)SU9 Affected: 15SU2 Affected: 15SU3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-20035",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-06T17:27:15.669186Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-06T17:27:23.655Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Cisco Unity Connection",
"vendor": "Cisco",
"versions": [
{
"status": "affected",
"version": "12.5(1)"
},
{
"status": "affected",
"version": "12.5(1)SU1"
},
{
"status": "affected",
"version": "12.5(1)SU2"
},
{
"status": "affected",
"version": "12.5(1)SU3"
},
{
"status": "affected",
"version": "12.5(1)SU4"
},
{
"status": "affected",
"version": "14"
},
{
"status": "affected",
"version": "12.5(1)SU5"
},
{
"status": "affected",
"version": "14SU1"
},
{
"status": "affected",
"version": "12.5(1)SU6"
},
{
"status": "affected",
"version": "14SU2"
},
{
"status": "affected",
"version": "12.5(1)SU7"
},
{
"status": "affected",
"version": "14SU3"
},
{
"status": "affected",
"version": "12.5(1)SU8"
},
{
"status": "affected",
"version": "14SU3a"
},
{
"status": "affected",
"version": "12.5(1)SU8a"
},
{
"status": "affected",
"version": "15"
},
{
"status": "affected",
"version": "15SU1"
},
{
"status": "affected",
"version": "14SU4"
},
{
"status": "affected",
"version": "12.5(1)SU9"
},
{
"status": "affected",
"version": "15SU2"
},
{
"status": "affected",
"version": "15SU3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in the web UI of Cisco Unity Connection Web Inbox could allow an unauthenticated, remote attacker to conduct SSRF attacks through an affected device.\r\n\r\nThis vulnerability is due to improper input validation for specific HTTP requests. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to send arbitrary network requests that are sourced from the affected device."
}
],
"exploits": [
{
"lang": "en",
"value": "The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities that are described in this advisory."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "cvssV3_1"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "cwe"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-06T16:15:57.142Z",
"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"shortName": "cisco"
},
"references": [
{
"name": "cisco-sa-unity-rce-ssrf-hENhuASy",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-unity-rce-ssrf-hENhuASy"
}
],
"source": {
"advisory": "cisco-sa-unity-rce-ssrf-hENhuASy",
"defects": [
"CSCwq36834"
],
"discovery": "EXTERNAL"
},
"title": "Cisco Unity Connection Server-Side Request Forgery Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"assignerShortName": "cisco",
"cveId": "CVE-2026-20035",
"datePublished": "2026-05-06T16:15:57.142Z",
"dateReserved": "2025-10-08T11:59:15.353Z",
"dateUpdated": "2026-05-06T17:27:23.655Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
GCVE-1-2026-20007 (CVE-2026-62143)
Vulnerability from gna-1 – Published: 2026-07-13 07:51 – Updated: 2026-07-13 07:52- CWE-918 - Server-Side Request Forgery (SSRF)
| URL | Tags |
|---|---|
| https://github.com/MISP/misp-modules/commit/3bae4… | patch |
| Vendor | Product | Version | |
|---|---|---|---|
| misp | misp-modules |
Affected:
0 , ≤ v3.0.8
(semver)
|
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "misp-modules",
"repo": "https://github.com/MISP/misp-modules/",
"vendor": "misp",
"versions": [
{
"lessThanOrEqual": "v3.0.8",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "remediation developer",
"value": "Alexandre Dulaunoy"
},
{
"lang": "en",
"type": "finder",
"value": "George Chen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA Server-Side Request Forgery (SSRF) protection bypass existed in the \u003ccode\u003ehtml_to_markdown\u003c/code\u003e expansion module of \u003cstrong\u003emisp-modules\u003c/strong\u003e.\u003c/p\u003e\u003cp\u003eThe module attempts to prevent requests to loopback, private, link-local, and other restricted IP address ranges. However, IP addresses were compared against the blocked ranges without first normalising IPv4-mapped IPv6 addresses.\u003c/p\u003e\u003cp\u003eAn authenticated attacker able to invoke the module could supply an IPv4-mapped IPv6 address, such as:\u003c/p\u003e\u003cpre\u003e\u003ccode\u003ehttp://[::ffff:127.0.0.1]/\nhttp://[::ffff:169.254.169.254]/\u003c/code\u003e\u003c/pre\u003e\u003cp\u003eAlternatively, the attacker could use a hostname that resolves to an IPv4-mapped IPv6 address. These addresses were treated as IPv6 addresses and therefore did not match the corresponding blocked IPv4 ranges.\u003c/p\u003e\u003cp\u003eSuccessful exploitation could cause the misp-modules server to connect to services available through its loopback interface, internal network, or link-local network. This could expose internal web services, administrative interfaces, or cloud instance metadata, with retrieved content potentially returned to the attacker as converted Markdown.\u003c/p\u003e\u003cp\u003eThe vulnerability has been addressed by normalising IPv4-mapped IPv6 addresses to their underlying IPv4 representation before applying the blocked-range checks. URLs without a valid hostname are now also rejected.\u003c/p\u003e\u003ch2\u003e\u003c/h2\u003e\u003cbr\u003e"
}
],
"value": "A Server-Side Request Forgery (SSRF) protection bypass existed in the html_to_markdown expansion module of misp-modules.\n\nThe module attempts to prevent requests to loopback, private, link-local, and other restricted IP address ranges. However, IP addresses were compared against the blocked ranges without first normalising IPv4-mapped IPv6 addresses.\n\nAn authenticated attacker able to invoke the module could supply an IPv4-mapped IPv6 address, such as:\n\nhttp://[::ffff:127.0.0.1]/\nhttp://[::ffff:169.254.169.254]/\n\nAlternatively, the attacker could use a hostname that resolves to an IPv4-mapped IPv6 address. These addresses were treated as IPv6 addresses and therefore did not match the corresponding blocked IPv4 ranges.\n\nSuccessful exploitation could cause the misp-modules server to connect to services available through its loopback interface, internal network, or link-local network. This could expose internal web services, administrative interfaces, or cloud instance metadata, with retrieved content potentially returned to the attacker as converted Markdown.\n\nThe vulnerability has been addressed by normalising IPv4-mapped IPv6 addresses to their underlying IPv4 representation before applying the blocked-range checks. URLs without a valid hostname are now also rejected."
}
],
"impacts": [
{
"capecId": "CAPEC-101",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-101 Server Side Include (SSI) Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "GREEN",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/AU:Y/RE:M/U:Green",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "MODERATE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"other": {
"content": {
"Automatable": "Yes",
"Exploitation": "None",
"Technical Impact": "Partial",
"Value Density": "Diffused",
"version": "2.0"
},
"type": "SSVCv2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"orgId": "00000000-0000-4000-9000-000000000000"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/MISP/misp-modules/commit/3bae4108a3ba1e507727d5264697fd7303ba0b89"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Server-Side Request Forgery protection bypass in misp-modules html_to_markdown via IPv4-mapped IPv6 addresses",
"x_gcve": [
{
"recordType": "advisory",
"vulnId": "gcve-1-2026-20007"
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "00000000-0000-4000-9000-000000000000",
"cveId": "CVE-2026-62143",
"datePublished": "2026-07-13T07:51:40.478167Z",
"dateReserved": "2026-07-13T07:52:02.284Z",
"dateUpdated": "2026-07-13T07:52:02.354140Z",
"requesterUserId": "00000000-0000-4000-9000-000000000000",
"serial": 1,
"state": "PUBLISHED",
"vulnId": "gcve-1-2026-20007"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
GCVE-1-2026-20001 (CVE-2026-9813)
Vulnerability from gna-1 – Published: 2026-05-28 09:24 – Updated: 2026-05-28 09:28- CWE-918 - Server-Side Request Forgery (SSRF)
| URL | Tags |
|---|---|
| https://github.com/flowintel/flowintel/commit/68b… | patch |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "flowintel",
"vendor": "flowintel",
"versions": [
{
"lessThan": "3.3.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Bilal Teke"
},
{
"lang": "en",
"type": "remediation verifier",
"value": "David Cruciani"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Alexandre Dulaunoy"
},
{
"lang": "en",
"type": "tool",
"value": "Codex (GPT-5.5)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eFlowIntel up to version 3.3.0\u0026nbsp;contains a server-side request forgery (SSRF) vulnerability in the external reference URL probe functionality in \u003ccode\u003eapp/case/task.py\u003c/code\u003e. An attacker who can submit an external reference URL can cause the application server to issue an HTTP \u003ccode\u003eHEAD\u003c/code\u003e request to an attacker-specified destination. Due to insufficient validation of the URL scheme and resolved destination address, affected versions may allow requests to loopback, link-local, private, reserved, or other restricted network resources, potentially enabling interaction with internal services or cloud metadata endpoints from the server\u0027s network context.\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e"
}
],
"value": "FlowIntel up to version 3.3.0\u00a0contains a server-side request forgery (SSRF) vulnerability in the external reference URL probe functionality in app/case/task.py. An attacker who can submit an external reference URL can cause the application server to issue an HTTP HEAD request to an attacker-specified destination. Due to insufficient validation of the URL scheme and resolved destination address, affected versions may allow requests to loopback, link-local, private, reserved, or other restricted network resources, potentially enabling interaction with internal services or cloud metadata endpoints from the server\u0027s network context."
}
],
"impacts": [
{
"capecId": "CAPEC-664",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-664 Server Side Request Forgery"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NEGLIGIBLE",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "GREEN",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "HIGH",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:N/VA:N/SC:L/SI:H/SA:H/S:N/RE:L/U:Green",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"orgId": "00000000-0000-4000-9000-000000000000"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/flowintel/flowintel/commit/68b523b47854c54bf36fd706c0fd5353063b5409"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "FlowIntel external reference URL probe allows server-side request forgery",
"x_gcve": [
{
"recordType": "advisory",
"vulnId": "gcve-1-2026-20001"
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "00000000-0000-4000-9000-000000000000",
"cveId": "CVE-2026-9813",
"datePublished": "2026-05-28T09:24:00.000Z",
"dateUpdated": "2026-05-28T09:28:16.686697Z",
"requesterUserId": "00000000-0000-4000-9000-000000000000",
"serial": 1,
"state": "PUBLISHED",
"vulnId": "gcve-1-2026-20001"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2026-16084 (GCVE-0-2026-16084)
Vulnerability from cvelistv5 – Published: 2026-07-18 09:00 – Updated: 2026-07-18 09:00 X_Open Source- CWE-918 - Server-Side Request Forgery
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/379796 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/379796/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-16084 | third-party-advisory |
| https://vuldb.com/submit/852946 | third-party-advisory |
| https://github.com/sipeed/picoclaw/issues/3074 | exploitissue-tracking |
| https://github.com/sipeed/picoclaw/pull/3143 | issue-trackingpatch |
| https://github.com/sipeed/picoclaw/commit/c15aac2… | patch |
| https://github.com/sipeed/picoclaw/ | product |
{
"containers": {
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:sipeed:picoclaw:*:*:*:*:*:*:*:*"
],
"product": "PicoClaw",
"vendor": "Sipeed",
"versions": [
{
"status": "affected",
"version": "0.2.0"
},
{
"status": "affected",
"version": "0.2.1"
},
{
"status": "affected",
"version": "0.2.2"
},
{
"status": "affected",
"version": "0.2.3"
},
{
"status": "affected",
"version": "0.2.4"
},
{
"status": "affected",
"version": "0.2.5"
},
{
"status": "affected",
"version": "0.2.6"
},
{
"status": "affected",
"version": "0.2.7"
},
{
"status": "affected",
"version": "0.2.8"
},
{
"status": "affected",
"version": "0.2.9"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Eric-i (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A weakness has been identified in Sipeed PicoClaw up to 0.2.9. This impacts the function web_fetch of the file pkg/tools/integration/web.go. This manipulation causes server-side request forgery. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks. Patch name: c15aac21fe05ee103a470e1104bc891754e83392. To fix this issue, it is recommended to deploy a patch."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 7.5,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "Server-Side Request Forgery",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-18T09:00:10.981Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-379796 | Sipeed PicoClaw web.go web_fetch server-side request forgery",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/379796"
},
{
"name": "VDB-379796 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/379796/cti"
},
{
"name": "CVE-2026-16084 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-16084"
},
{
"name": "Submit #852946 | Sipeed PicoClaw \u003c= 0.2.9 Server-Side Request Forgery (CWE-918)",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/852946"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/sipeed/picoclaw/issues/3074"
},
{
"tags": [
"issue-tracking",
"patch"
],
"url": "https://github.com/sipeed/picoclaw/pull/3143"
},
{
"tags": [
"patch"
],
"url": "https://github.com/sipeed/picoclaw/commit/c15aac21fe05ee103a470e1104bc891754e83392"
},
{
"tags": [
"product"
],
"url": "https://github.com/sipeed/picoclaw/"
}
],
"tags": [
"x_open-source"
],
"timeline": [
{
"lang": "en",
"time": "2026-07-17T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-07-17T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-07-17T15:55:30.000Z",
"value": "VulDB entry last update"
}
],
"title": "Sipeed PicoClaw web.go web_fetch server-side request forgery"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-16084",
"datePublished": "2026-07-18T09:00:10.981Z",
"dateReserved": "2026-07-17T13:50:07.157Z",
"dateUpdated": "2026-07-18T09:00:10.981Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-16074 (GCVE-0-2026-16074)
Vulnerability from cvelistv5 – Published: 2026-07-17 20:15 – Updated: 2026-07-17 20:15- CWE-918 - Server-Side Request Forgery
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/379789 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/379789/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-16074 | third-party-advisory |
| https://vuldb.com/submit/852842 | third-party-advisory |
| https://gist.github.com/YLChen-007/f84070f78d9c9c… | exploit |
| Vendor | Product | Version | |
|---|---|---|---|
| AstrBotDevs | AstrBot |
Affected:
4.25.0
Affected: 4.25.1 Affected: 4.25.2 cpe:2.3:a:astrbot:astrbot:*:*:*:*:*:*:*:* |
{
"containers": {
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:astrbot:astrbot:*:*:*:*:*:*:*:*"
],
"modules": [
"Plugin Update Handler"
],
"product": "AstrBot",
"vendor": "AstrBotDevs",
"versions": [
{
"status": "affected",
"version": "4.25.0"
},
{
"status": "affected",
"version": "4.25.1"
},
{
"status": "affected",
"version": "4.25.2"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Eric-d (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was detected in AstrBotDevs AstrBot up to 4.25.2. This affects the function update_plugin/update_all_plugins of the file astrbot/dashboard/routes/plugin.py of the component Plugin Update Handler. The manipulation of the argument download_url/download_urls/proxy results in server-side request forgery. The attack may be performed from remote. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "Server-Side Request Forgery",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-17T20:15:09.598Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-379789 | AstrBotDevs AstrBot Plugin Update plugin.py update_all_plugins server-side request forgery",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/379789"
},
{
"name": "VDB-379789 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/379789/cti"
},
{
"name": "CVE-2026-16074 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-16074"
},
{
"name": "Submit #852842 | AstrBotDevs AstrBot 4.25.2 Server-Side Request Forgery (CWE-918)",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/852842"
},
{
"tags": [
"exploit"
],
"url": "https://gist.github.com/YLChen-007/f84070f78d9c9c9407b0c396189cd716"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-07-17T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-07-17T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-07-17T15:44:44.000Z",
"value": "VulDB entry last update"
}
],
"title": "AstrBotDevs AstrBot Plugin Update plugin.py update_all_plugins server-side request forgery"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-16074",
"datePublished": "2026-07-17T20:15:09.598Z",
"dateReserved": "2026-07-17T13:39:22.213Z",
"dateUpdated": "2026-07-17T20:15:09.598Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-16016 (GCVE-0-2026-16016)
Vulnerability from cvelistv5 – Published: 2026-07-17 13:30 – Updated: 2026-07-17 14:51- CWE-918 - Server-Side Request Forgery
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/379758 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/379758/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-16016 | third-party-advisory |
| https://vuldb.com/submit/856814 | third-party-advisory |
| https://github.com/poco-ai/poco-claw/issues/138 | exploitissue-tracking |
| https://github.com/poco-ai/poco-claw/ | exploitproduct |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-16016",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-17T14:51:15.201300Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-17T14:51:53.546Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:poco-ai:poco-claw:*:*:*:*:*:*:*:*"
],
"product": "poco-claw",
"vendor": "poco-ai",
"versions": [
{
"status": "affected",
"version": "0.5.0"
},
{
"status": "affected",
"version": "0.5.1"
},
{
"status": "affected",
"version": "0.5.2"
},
{
"status": "affected",
"version": "0.5.3"
},
{
"status": "affected",
"version": "0.5.4"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Erichen (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was identified in poco-ai poco-claw up to 0.5.4. This issue affects the function run_task of the file executor/app/api/v1/task.py. The manipulation of the argument callback_url leads to server-side request forgery. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. The reported GitHub issue was closed automatically due to inactivity."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 7.5,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "Server-Side Request Forgery",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-17T13:30:10.299Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-379758 | poco-ai poco-claw task.py run_task server-side request forgery",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/379758"
},
{
"name": "VDB-379758 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/379758/cti"
},
{
"name": "CVE-2026-16016 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-16016"
},
{
"name": "Submit #856814 | poco-ai poco-agent 0.5.4 Server-Side Request Forgery / SSRF (CWE-918)",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/856814"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/poco-ai/poco-claw/issues/138"
},
{
"tags": [
"exploit",
"product"
],
"url": "https://github.com/poco-ai/poco-claw/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-07-17T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-07-17T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-07-17T07:49:50.000Z",
"value": "VulDB entry last update"
}
],
"title": "poco-ai poco-claw task.py run_task server-side request forgery"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-16016",
"datePublished": "2026-07-17T13:30:10.299Z",
"dateReserved": "2026-07-17T05:44:08.705Z",
"dateUpdated": "2026-07-17T14:51:53.546Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-15750 (GCVE-0-2026-15750)
Vulnerability from cvelistv5 – Published: 2026-07-14 21:30 – Updated: 2026-07-15 12:44- CWE-918 - Server-Side Request Forgery
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/378329 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/378329/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-15750 | third-party-advisory |
| https://vuldb.com/submit/856633 | third-party-advisory |
| https://github.com/mastergo-design/mastergo-magic… | exploitissue-tracking |
| https://github.com/mastergo-design/mastergo-magic-mcp/ | product |
| Vendor | Product | Version | |
|---|---|---|---|
| mastergo-design | mastergo-magic-mcp |
Affected:
0.1
Affected: 0.2.0 cpe:2.3:a:mastergo-design:mastergo-magic-mcp:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-15750",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-15T12:44:43.686782Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-15T12:44:54.296Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:mastergo-design:mastergo-magic-mcp:*:*:*:*:*:*:*:*"
],
"modules": [
"mcp__getComponentLink"
],
"product": "mastergo-magic-mcp",
"vendor": "mastergo-design",
"versions": [
{
"status": "affected",
"version": "0.1"
},
{
"status": "affected",
"version": "0.2.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Mcfly_Zhang (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A weakness has been identified in mastergo-design mastergo-magic-mcp up to 0.2.0. Impacted is the function z.string of the file src/tools/get-component-link.ts of the component mcp__getComponentLink. Executing a manipulation of the argument url can lead to server-side request forgery. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 7.5,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "Server-Side Request Forgery",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-14T21:30:08.566Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-378329 | mastergo-design mastergo-magic-mcp mcp__getComponentLink get-component-link.ts z.string server-side request forgery",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/378329"
},
{
"name": "VDB-378329 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/378329/cti"
},
{
"name": "CVE-2026-15750 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-15750"
},
{
"name": "Submit #856633 | mastergo-design mastergo-magic-mcp 0.2.0 Server-Side Request Forgery",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/856633"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/mastergo-design/mastergo-magic-mcp/issues/89"
},
{
"tags": [
"product"
],
"url": "https://github.com/mastergo-design/mastergo-magic-mcp/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-07-14T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-07-14T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-07-14T17:44:59.000Z",
"value": "VulDB entry last update"
}
],
"title": "mastergo-design mastergo-magic-mcp mcp__getComponentLink get-component-link.ts z.string server-side request forgery"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-15750",
"datePublished": "2026-07-14T21:30:08.566Z",
"dateReserved": "2026-07-14T15:39:47.644Z",
"dateUpdated": "2026-07-15T12:44:54.296Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-15746 (GCVE-0-2026-15746)
Vulnerability from cvelistv5 – Published: 2026-07-15 18:35 – Updated: 2026-07-15 18:54- CWE-918 - Server-Side request forgery (SSRF)
| URL | Tags |
|---|---|
| https://pypi.org/project/strands-agents-tools/0.7.0/ | release-notes |
| https://aws.amazon.com/security/security-bulletin… | vendor-advisory |
| https://github.com/strands-agents/tools/security/… | release-notespatch |
| Vendor | Product | Version | |
|---|---|---|---|
| Amazon | strands-agents-tools |
Affected:
0 , < 0.7.0
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-15746",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-15T18:54:16.974385Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-15T18:54:31.562Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "strands-agents-tools",
"vendor": "Amazon",
"versions": [
{
"lessThan": "0.7.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:amazon:strands-agents-tools:*:*:*:*:*:*:*:*",
"versionEndExcluding": "0.7.0",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eStrands Agents is an open-source Python SDK for building and running AI agents. The strands-agents-tools package provides pre-built tools for use with the SDK, including the elasticsearch_memory tool for agent memory storage. We identified CVE-2026-15746, a server-side request forgery (SSRF) issue in the elasticsearch_memory tool. The tool exposed its connection parameters (es_url, cloud_id, api_key) as fields the large language model (LLM) could control through the tool schema. When a caller omitted the api_key parameter, the tool fell back to the operator\u0027s ELASTICSEARCH_API_KEY environment variable and sent it to whichever host the LLM specified. A crafted prompt could cause the tool to connect to a threat-actor-controlled server and disclose the operator\u0027s Elasticsearch API key in the Authorization header.\u003c/p\u003e\u003cp\u003eWe recommend you upgrade to strands-agents-tools version 0.7.0 or later. As a precautionary measure, we recommend all operators rotate their \u003ccode\u003eELASTICSEARCH_API_KEY\u003c/code\u003e, even if there is no indication the credential was exposed.\u003c/p\u003e"
}
],
"value": "Strands Agents is an open-source Python SDK for building and running AI agents. The strands-agents-tools package provides pre-built tools for use with the SDK, including the elasticsearch_memory tool for agent memory storage. We identified CVE-2026-15746, a server-side request forgery (SSRF) issue in the elasticsearch_memory tool. The tool exposed its connection parameters (es_url, cloud_id, api_key) as fields the large language model (LLM) could control through the tool schema. When a caller omitted the api_key parameter, the tool fell back to the operator\u0027s ELASTICSEARCH_API_KEY environment variable and sent it to whichever host the LLM specified. A crafted prompt could cause the tool to connect to a threat-actor-controlled server and disclose the operator\u0027s Elasticsearch API key in the Authorization header.\n\n\n\nWe recommend you upgrade to strands-agents-tools version 0.7.0 or later. As a precautionary measure, we recommend all operators rotate their ELASTICSEARCH_API_KEY, even if there is no indication the credential was exposed."
}
],
"impacts": [
{
"capecId": "CAPEC-664",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-664 Server Side Request Forgery"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side request forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-15T18:45:44.627Z",
"orgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
"shortName": "AMZN"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://pypi.org/project/strands-agents-tools/0.7.0/"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://aws.amazon.com/security/security-bulletins/2026-056-aws/"
},
{
"tags": [
"release-notes",
"patch"
],
"url": "https://github.com/strands-agents/tools/security/advisories/GHSA-ppcf-fpr3-x46v"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Credential disclosure in Strands Agents Tools elasticsearch_memory tool",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
"assignerShortName": "AMZN",
"cveId": "CVE-2026-15746",
"datePublished": "2026-07-15T18:35:47.382Z",
"dateReserved": "2026-07-14T14:55:13.322Z",
"dateUpdated": "2026-07-15T18:54:31.562Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
No mitigation information available for this CWE.
CAPEC-664: Server Side Request Forgery
An adversary exploits improper input validation by submitting maliciously crafted input to a target application running on a server, with the goal of forcing the server to make a request either to itself, to web services running in the server’s internal network, or to external third parties. If successful, the adversary’s request will be made with the server’s privilege level, bypassing its authentication controls. This ultimately allows the adversary to access sensitive data, execute commands on the server’s network, and make external requests with the stolen identity of the server. Server Side Request Forgery attacks differ from Cross Site Request Forgery attacks in that they target the server itself, whereas CSRF attacks exploit an insecure user authentication mechanism to perform unauthorized actions on the user's behalf.