CWE-918
AllowedServer-Side Request Forgery (SSRF)
Abstraction: Base · Status: Incomplete
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
4607 vulnerabilities reference this CWE, most recent first.
CVE-2026-55641 (GCVE-0-2026-55641)
Vulnerability from cvelistv5 – Published: 2026-07-10 15:36 – Updated: 2026-07-10 19:06| URL | Tags |
|---|---|
| https://github.com/decolua/9router/security/advis… | x_refsource_CONFIRM |
| https://github.com/decolua/9router/commit/b282f05… | x_refsource_MISC |
| https://github.com/decolua/9router/releases/tag/v0.5.2 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-55641",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-10T19:06:04.625545Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T19:06:14.379Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/decolua/9router/security/advisories/GHSA-86m2-fcxq-5q7c"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "9router",
"vendor": "decolua",
"versions": [
{
"status": "affected",
"version": "\u003c 0.5.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "9Router is an AI router \u0026 token saver. Prior to 0.5.2, 9router determines whether a /v1 LLM proxy request is local by reading the client-controlled Host header, allowing a remote unauthenticated attacker to send Host: localhost and bypass API-key authentication. In the default configuration, this exposes the /v1 proxy to upstream provider calls using stored provider credentials and allows /v1/search with the searxng provider_options.baseUrl parameter to drive server-side requests to internal or cloud-metadata hosts. This issue is fixed in version 0.5.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-290",
"description": "CWE-290: Authentication Bypass by Spoofing",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-348",
"description": "CWE-348: Use of Less Trusted Source",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-1327",
"description": "CWE-1327: Binding to an Unrestricted IP Address",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T15:36:05.964Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/decolua/9router/security/advisories/GHSA-86m2-fcxq-5q7c",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/decolua/9router/security/advisories/GHSA-86m2-fcxq-5q7c"
},
{
"name": "https://github.com/decolua/9router/commit/b282f0554972ea35281520738759d76abcd0b0b3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/decolua/9router/commit/b282f0554972ea35281520738759d76abcd0b0b3"
},
{
"name": "https://github.com/decolua/9router/releases/tag/v0.5.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/decolua/9router/releases/tag/v0.5.2"
}
],
"source": {
"advisory": "GHSA-86m2-fcxq-5q7c",
"discovery": "UNKNOWN"
},
"title": "9router: Unauthenticated `/v1` proxy access via `Host`-header spoofing \u2192 open AI relay + SSRF"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-55641",
"datePublished": "2026-07-10T15:36:05.964Z",
"dateReserved": "2026-06-16T23:52:12.057Z",
"dateUpdated": "2026-07-10T19:06:14.379Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-55599 (GCVE-0-2026-55599)
Vulnerability from cvelistv5 – Published: 2026-06-22 20:00 – Updated: 2026-06-23 16:12- CWE-918 - Server-Side Request Forgery (SSRF)
| URL | Tags |
|---|---|
| https://github.com/phpseclib/phpseclib/security/a… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-55599",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-23T14:12:41.401298Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-23T16:12:08.949Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/phpseclib/phpseclib/security/advisories/GHSA-m557-wrgg-6rp4"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "phpseclib",
"vendor": "phpseclib",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.1.1, \u003c 1.0.30"
},
{
"status": "affected",
"version": "\u003e= 2.0.0, \u003c 2.0.55"
},
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c 3.0.54"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "phpseclib is a PHP secure communications library. From 0.1.1 until 1.0.30, 2.0.55, and 3.0.54, when an application validates an untrusted X.509 certificate with phpseclib, X509::validateSignature() reads a URL out of that certificate\u0027s Authority Information Access (AIA) extension and connects to it. Attacker who supplies certificate fully controls host, port, and path of that connection. URL fetching is enabled by default, and no destination is blocked. An unauthenticated attacker can therefore make a validating server open connections to internal hosts and ports it should never reach, for example loopback 127.0.0.1, cloud metadata address 169.254.169.254, and internal-only services. This is a server-side request forgery (SSRF) caused by an insecure default. This vulnerability is fixed in 1.0.30, 2.0.55, and 3.0.54."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T20:00:09.322Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/phpseclib/phpseclib/security/advisories/GHSA-m557-wrgg-6rp4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/phpseclib/phpseclib/security/advisories/GHSA-m557-wrgg-6rp4"
}
],
"source": {
"advisory": "GHSA-m557-wrgg-6rp4",
"discovery": "UNKNOWN"
},
"title": "phpseclib: X.509 certificate validation sends attacker-controlled outbound requests (server-side request forgery) via Authority Information Access"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-55599",
"datePublished": "2026-06-22T20:00:09.322Z",
"dateReserved": "2026-06-16T23:18:03.170Z",
"dateUpdated": "2026-06-23T16:12:08.949Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-55455 (GCVE-0-2026-55455)
Vulnerability from cvelistv5 – Published: 2026-06-24 21:36 – Updated: 2026-06-25 13:05- CWE-918 - Server-Side Request Forgery (SSRF)
| URL | Tags |
|---|---|
| https://github.com/appsmithorg/appsmith/security/… | x_refsource_CONFIRM |
| Vendor | Product | Version | |
|---|---|---|---|
| appsmithorg | appsmith |
Affected:
< 2.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-55455",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-25T13:04:48.487796Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T13:05:39.781Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/appsmithorg/appsmith/security/advisories/GHSA-m23h-pvf3-2m7p"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "appsmith",
"vendor": "appsmithorg",
"versions": [
{
"status": "affected",
"version": "\u003c 2.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 2.1, the outbound HTTP host filter applied by WebClientUtils (used by the REST API and GraphQL datasource plugins) validates hosts against an exact-match string denylist. The comprehensive address-class check (loopback, any-local, link-local, fc00::/7) exists only on a separate code path used by SMTP, not by the HTTP plugin path. As a result, an authenticated user can craft outbound requests that reach loopback-bound services inside the container. This vulnerability is fixed in 2.1."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T21:36:21.863Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/appsmithorg/appsmith/security/advisories/GHSA-m23h-pvf3-2m7p",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/appsmithorg/appsmith/security/advisories/GHSA-m23h-pvf3-2m7p"
}
],
"source": {
"advisory": "GHSA-m23h-pvf3-2m7p",
"discovery": "UNKNOWN"
},
"title": "Appsmith: SSRF in REST API / GraphQL datasource plugins via insufficient host denylist"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-55455",
"datePublished": "2026-06-24T21:36:21.863Z",
"dateReserved": "2026-06-16T22:10:37.607Z",
"dateUpdated": "2026-06-25T13:05:39.781Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-55412 (GCVE-0-2026-55412)
Vulnerability from cvelistv5 – Published: 2026-06-25 16:07 – Updated: 2026-06-25 17:40- CWE-918 - Server-Side Request Forgery (SSRF)
| URL | Tags |
|---|---|
| https://github.com/ToolJet/ToolJet/security/advis… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-55412",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-25T17:40:16.638101Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T17:40:41.755Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/ToolJet/ToolJet/security/advisories/GHSA-h49f-mhmm-jx4w"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "ToolJet",
"vendor": "ToolJet",
"versions": [
{
"status": "affected",
"version": "\u003c 3.20.178-lts"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ToolJet is the open-source foundation am AI-native platform for building and deploying internal tools, workflows and AI agents. Prior to 3.20.178-lts, there\u0027s an SSRF in the RestAPI data source component. The RestAPI data source executes HTTP requests server-side, and its private IP filter only checks the hostname string \u2014 not the resolved IP. DNS names like 169.254.169.254.nip.io resolve to the Azure IMDS link-local address and bypass the filter entirely. This allows any authenticated user (free tier) to steal Azure managed identity tokens for the AKS production cluster. This vulnerability is fixed in 3.20.178-lts."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T16:07:13.186Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/ToolJet/ToolJet/security/advisories/GHSA-h49f-mhmm-jx4w",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ToolJet/ToolJet/security/advisories/GHSA-h49f-mhmm-jx4w"
}
],
"source": {
"advisory": "GHSA-h49f-mhmm-jx4w",
"discovery": "UNKNOWN"
},
"title": "ToolJet Cloud - SSRF to Azure Cloud Infrastructure Compromise"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-55412",
"datePublished": "2026-06-25T16:07:13.186Z",
"dateReserved": "2026-06-16T21:48:43.125Z",
"dateUpdated": "2026-06-25T17:40:41.755Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-55229 (GCVE-0-2026-55229)
Vulnerability from cvelistv5 – Published: 2026-07-10 20:35 – Updated: 2026-07-13 16:19- CWE-918 - Server-Side Request Forgery (SSRF)
| URL | Tags |
|---|---|
| https://github.com/gotenberg/gotenberg/security/a… | x_refsource_CONFIRM |
| https://github.com/gotenberg/gotenberg/commit/98f… | x_refsource_MISC |
| https://github.com/gotenberg/gotenberg/releases/t… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-55229",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-13T16:19:17.726529Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-13T16:19:22.189Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/gotenberg/gotenberg/security/advisories/GHSA-2mrg-35hw-x3x9"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "gotenberg",
"vendor": "gotenberg",
"versions": [
{
"status": "affected",
"version": "\u003c 8.34.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.34.0, Gotenberg\u0027s /forms/libreoffice/convert endpoint allows a specially crafted document to cause LibreOffice to automatically retrieve external HTTP(S) resources and local file resources during document conversion, enabling blind SSRF and limited local file disclosure via linked image resource loading. This issue is fixed in version 8.34.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T20:35:12.809Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gotenberg/gotenberg/security/advisories/GHSA-2mrg-35hw-x3x9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gotenberg/gotenberg/security/advisories/GHSA-2mrg-35hw-x3x9"
},
{
"name": "https://github.com/gotenberg/gotenberg/commit/98fc40347885ad510a311b990a73397c6d4143db",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gotenberg/gotenberg/commit/98fc40347885ad510a311b990a73397c6d4143db"
},
{
"name": "https://github.com/gotenberg/gotenberg/releases/tag/v8.34.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gotenberg/gotenberg/releases/tag/v8.34.0"
}
],
"source": {
"advisory": "GHSA-2mrg-35hw-x3x9",
"discovery": "UNKNOWN"
},
"title": "Gotenberg: SSRF via LibreOffice document processing"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-55229",
"datePublished": "2026-07-10T20:35:12.809Z",
"dateReserved": "2026-06-16T16:16:32.628Z",
"dateUpdated": "2026-07-13T16:19:22.189Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-55187 (GCVE-0-2026-55187)
Vulnerability from cvelistv5 – Published: 2026-07-10 21:43 – Updated: 2026-07-13 15:55- CWE-918 - Server-Side Request Forgery (SSRF)
| URL | Tags |
|---|---|
| https://github.com/axllent/mailpit/security/advis… | x_refsource_CONFIRM |
| https://github.com/axllent/mailpit/commit/a88dadb… | x_refsource_MISC |
| https://github.com/axllent/mailpit/releases/tag/v1.30.2 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-55187",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-13T15:55:02.724130Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-13T15:55:15.065Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/axllent/mailpit/security/advisories/GHSA-w4mc-hhc6-xp28"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mailpit",
"vendor": "axllent",
"versions": [
{
"status": "affected",
"version": "\u003c 1.30.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mailpit is an email testing tool and API for developers. Prior to 1.30.2, the remediation shipped for CVE-2026-27808 is incomplete because the tools.IsInternalIP deny-list in internal/tools/net.go relies on Go\u0027s standard library classification helpers and does not block IPv6 transition mechanisms or prefixes such as NAT64, 6to4, IPv4-compatible IPv6, ISATAP, fec0::/10, and 2001:db8::/32. An attacker who can deliver email and invoke POST /api/v1/message/{ID}/link-check can coerce the Link Check API\u0027s safeDialContext path into dialing internal destinations and can use status-code and error feedback to map internal service reachability, including cloud metadata endpoints. This issue is fixed in version 1.30.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T21:43:59.548Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/axllent/mailpit/security/advisories/GHSA-w4mc-hhc6-xp28",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/axllent/mailpit/security/advisories/GHSA-w4mc-hhc6-xp28"
},
{
"name": "https://github.com/axllent/mailpit/commit/a88dadbbe1df016a35a445089ef2a362a6c2de78",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/axllent/mailpit/commit/a88dadbbe1df016a35a445089ef2a362a6c2de78"
},
{
"name": "https://github.com/axllent/mailpit/releases/tag/v1.30.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/axllent/mailpit/releases/tag/v1.30.2"
}
],
"source": {
"advisory": "GHSA-w4mc-hhc6-xp28",
"discovery": "UNKNOWN"
},
"title": "Mailpit: Incomplete SSRF protection in Link Check API via IPv6 transition mechanisms (follow-up to CVE-2026-27808)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-55187",
"datePublished": "2026-07-10T21:43:59.548Z",
"dateReserved": "2026-06-16T15:20:43.086Z",
"dateUpdated": "2026-07-13T15:55:15.065Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-55115 (GCVE-0-2026-55115)
Vulnerability from cvelistv5 – Published: 2026-07-02 14:50 – Updated: 2026-07-02 15:51- CWE-918 - Server-Side Request Forgery (SSRF)
| Vendor | Product | Version | |
|---|---|---|---|
| Ubiquiti Inc | UniFi Protect Application |
Affected:
0 , < 7.1.83
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-55115",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-02T15:41:27.696866Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-02T15:51:23.659Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "UniFi Protect Application",
"vendor": "Ubiquiti Inc",
"versions": [
{
"lessThan": "7.1.83",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A malicious actor with access to the network and low privileges could exploit a Server-Side Request Forgery (SSRF) in UniFi Protect Application to escalate privileges on the host device."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-02T14:50:48.762Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"url": "https://community.ui.com/releases/Security-Advisory-Bulletin-066-066/984eceb3-49c8-4227-942d-671c289b3afc"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2026-55115",
"datePublished": "2026-07-02T14:50:48.762Z",
"dateReserved": "2026-06-16T15:00:01.614Z",
"dateUpdated": "2026-07-02T15:51:23.659Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-55113 (GCVE-0-2026-55113)
Vulnerability from cvelistv5 – Published: 2026-07-02 14:50 – Updated: 2026-07-02 15:51- CWE-918 - Server-Side Request Forgery (SSRF)
| Vendor | Product | Version | |
|---|---|---|---|
| Ubiquiti Inc | UniFi Talk Application |
Affected:
0 , < 5.2.2
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-55113",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-02T15:48:45.778988Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-02T15:51:46.930Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "UniFi Talk Application",
"vendor": "Ubiquiti Inc",
"versions": [
{
"lessThan": "5.2.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A malicious actor with access to the network could exploit a Server-Side Request Forgery (SSRF) vulnerability found in UniFi Talk Application to execute a Denial of Service (DoS) attack and bypass authentication in certain UniFi Talk API endpoints."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-02T14:50:48.567Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"url": "https://community.ui.com/releases/Security-Advisory-Bulletin-066-066/984eceb3-49c8-4227-942d-671c289b3afc"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2026-55113",
"datePublished": "2026-07-02T14:50:48.567Z",
"dateReserved": "2026-06-16T15:00:01.614Z",
"dateUpdated": "2026-07-02T15:51:46.930Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-55051 (GCVE-0-2026-55051)
Vulnerability from cvelistv5 – Published: 2026-07-14 17:08 – Updated: 2026-07-15 22:26- CWE-918 - Server-Side Request Forgery (SSRF)
| URL | Tags |
|---|---|
| https://msrc.microsoft.com/update-guide/vulnerabi… | vendor-advisorypatch |
| Vendor | Product | Version | |
|---|---|---|---|
| Microsoft | Microsoft SharePoint Enterprise Server 2016 |
Affected:
16.0.0 , < 16.0.5561.1001
(custom)
|
|
| Microsoft | Microsoft SharePoint Server 2019 |
Affected:
16.0.0 , < 16.0.10417.20175
(custom)
|
|
| Microsoft | Microsoft SharePoint Server Subscription Edition |
Affected:
16.0.0 , < 16.0.19725.20434
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-55051",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-14T19:15:59.362366Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-14T19:16:23.067Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"platforms": [
"x64-based Systems"
],
"product": "Microsoft SharePoint Enterprise Server 2016",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "16.0.5561.1001",
"status": "affected",
"version": "16.0.0",
"versionType": "custom"
}
]
},
{
"platforms": [
"x64-based Systems"
],
"product": "Microsoft SharePoint Server 2019",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "16.0.10417.20175",
"status": "affected",
"version": "16.0.0",
"versionType": "custom"
}
]
},
{
"platforms": [
"x64-based Systems"
],
"product": "Microsoft SharePoint Server Subscription Edition",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "16.0.19725.20434",
"status": "affected",
"version": "16.0.0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:microsoft:sharepoint_server_2016:*:*:*:*:enterprise:*:*:*",
"versionEndExcluding": "16.0.5561.1001",
"versionStartIncluding": "16.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:microsoft:sharepoint_server_2019:*:*:*:*:*:*:*:*",
"versionEndExcluding": "16.0.10417.20175",
"versionStartIncluding": "16.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:microsoft:sharepoint_server:*:*:*:*:subscription:*:*:*",
"versionEndExcluding": "16.0.19725.20434",
"versionStartIncluding": "16.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"datePublic": "2026-07-14T14:00:00.000Z",
"descriptions": [
{
"lang": "en-US",
"value": "Server-side request forgery (ssrf) in Microsoft Office SharePoint allows an authorized attacker to disclose information over a network."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-15T22:26:43.217Z",
"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"shortName": "microsoft"
},
"references": [
{
"name": "Microsoft SharePoint Server Information Disclosure Vulnerability",
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-55051"
}
],
"title": "Microsoft SharePoint Server Information Disclosure Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"assignerShortName": "microsoft",
"cveId": "CVE-2026-55051",
"datePublished": "2026-07-14T17:08:58.921Z",
"dateReserved": "2026-06-16T14:13:49.836Z",
"dateUpdated": "2026-07-15T22:26:43.217Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-54607 (GCVE-0-2026-54607)
Vulnerability from cvelistv5 – Published: 2026-07-07 21:20 – Updated: 2026-07-08 13:48- CWE-918 - Server-Side Request Forgery (SSRF)
| URL | Tags |
|---|---|
| https://github.com/labring/FastGPT/security/advis… | x_refsource_CONFIRM |
| https://github.com/labring/FastGPT/pull/7073 | x_refsource_MISC |
| https://github.com/labring/FastGPT/commit/1d7b876… | x_refsource_MISC |
| https://github.com/labring/FastGPT/releases/tag/v… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-54607",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-08T13:48:47.765322Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-08T13:48:51.954Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/labring/FastGPT/security/advisories/GHSA-72hf-5382-2mq9"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "FastGPT",
"vendor": "labring",
"versions": [
{
"status": "affected",
"version": "\u003c 4.15.0-beta4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FastGPT is a knowledge-based AI application platform. Prior to 4.15.0-beta4, the HTTP-tool OpenAPI schema importer validates only the top-level URL before passing it to SwaggerParser.bundle, whose remote reference resolver fetches $ref URLs without FastGPT\u0027s internal-address guard and returns fetched content inline, allowing an authenticated team member to read internal services or cloud metadata. This issue is fixed in version 4.15.0-beta4."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-07T21:20:43.617Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/labring/FastGPT/security/advisories/GHSA-72hf-5382-2mq9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/labring/FastGPT/security/advisories/GHSA-72hf-5382-2mq9"
},
{
"name": "https://github.com/labring/FastGPT/pull/7073",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/labring/FastGPT/pull/7073"
},
{
"name": "https://github.com/labring/FastGPT/commit/1d7b8768aecd53ae59372fd68b10af0e80722c79",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/labring/FastGPT/commit/1d7b8768aecd53ae59372fd68b10af0e80722c79"
},
{
"name": "https://github.com/labring/FastGPT/releases/tag/v4.15.0-beta4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/labring/FastGPT/releases/tag/v4.15.0-beta4"
}
],
"source": {
"advisory": "GHSA-72hf-5382-2mq9",
"discovery": "UNKNOWN"
},
"title": "FastGPT: SSRF in HTTP-tool OpenAPI schema importer via SwaggerParser $ref (bypasses the isInternalAddress guard)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-54607",
"datePublished": "2026-07-07T21:20:43.617Z",
"dateReserved": "2026-06-15T19:45:23.540Z",
"dateUpdated": "2026-07-08T13:48:51.954Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
No mitigation information available for this CWE.
CAPEC-664: Server Side Request Forgery
An adversary exploits improper input validation by submitting maliciously crafted input to a target application running on a server, with the goal of forcing the server to make a request either to itself, to web services running in the server’s internal network, or to external third parties. If successful, the adversary’s request will be made with the server’s privilege level, bypassing its authentication controls. This ultimately allows the adversary to access sensitive data, execute commands on the server’s network, and make external requests with the stolen identity of the server. Server Side Request Forgery attacks differ from Cross Site Request Forgery attacks in that they target the server itself, whereas CSRF attacks exploit an insecure user authentication mechanism to perform unauthorized actions on the user's behalf.