CWE-918— Server-Side Request Forgery (SSRF)
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.— MITRE CWE catalog
2,688 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-918page 50 of 54
- CVE-2026-47268MEDIUMCVSS 6.4EG 6.42026-05-29
Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 0.20.0 to before version 2.0.10, an authenticated Nezha dashboard user can create or update a DDNS profile with provider webhook a…
- CVE-2026-47356HIGHCVSS 7.5EG 7.52026-05-19
Terrascan v1.18.3 and prior are vulnerable to Server-Side Request Forgery (SSRF) via the webhook_url parameter in the file scan endpoint (POST /v1/{iac}/{iacVersion}/{cloud}/local/file/scan) when running in server mode. An unauthenticated …
- CVE-2026-47357HIGHCVSS 7.5EG 7.52026-05-19
Terrascan v1.18.3 and prior are vulnerable to Server-Side Request Forgery (SSRF) via the remote_url parameter in the remote directory scan endpoint (POST /v1/{iac}/{iacVersion}/{cloud}/remote/dir/scan) when running in server mode. An unaut…
- CVE-2026-47358HIGHCVSS 7.5EG 7.52026-05-19
Terrascan v1.18.3 and prior are vulnerable to Server-Side Request Forgery (SSRF) via external URL resolution in uploaded IaC templates when running in server mode. When Terrascan parses uploaded ARM templates or CloudFormation templates, i…
- CVE-2026-47382MEDIUMCVSS 5.3EG 5.32026-06-05
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the connection-test endpoint opened a raw TCP socket to the user-supplied database host without resolving and range-checking the destination, so private and lin…
- CVE-2026-47389HIGHCVSS 8.6EG 8.62026-06-24
Mastodon is a free, open-source social network server based on ActivityPub. Prior to 4.5.10, 4.4.17, and 4.3.23, when using Ruby versions older than 3.4, PrivateAddressCheck.private_address? returns false for IPv4-mapped IPv6 addresses (::…
- CVE-2026-47684HIGHCVSS 7.7EG 7.72026-06-05
Sync-in Server is a secure, open-source platform for file storage, sharing, collaboration, and syncing. Prior to version 2.3.0, the private IP blocklist regex used in the URL download feature does not match IPv4-mapped IPv6 addresses (e.g.…
- CVE-2026-47719HIGHCVSS 8.2EG 8.22026-06-08
FUXA: Unauthenticated SSRF via Socket.IO DEVICE_WEBAPI_REQUEST and DEVICE_PROPERTY with response reading ## Summary An unauthenticated attacker (Alice) connects to FUXA's Socket.IO endpoint and emits a `device-webapi-request` event whose…
- CVE-2026-47938CRITICALCVSS 10.0EG 10.02026-06-09
Adobe Campaign Classic (ACC) versions 7.4.3 build 9394 and earlier are affected by a Server-Side Request Forgery (SSRF) vulnerability that could result in privilege escalation. Exploitation of this issue does not require user interaction. …
- CVE-2026-48128MEDIUMCVSS 5.1EG 5.12026-05-27
Budibase is an open-source low-code platform. Prior to 3.39.0, the executeQuery automation step in Budibase accepts a queryId from automation step inputs and passes it directly to the query execution controller without additional validatio…
- CVE-2026-48146HIGHCVSS 7.7EG 7.72026-05-27
Budibase is an open-source low-code platform. Prior to 3.39.0, the OAuth2 token fetch function in packages/server/src/sdk/workspace/oauth2/utils.ts uses raw fetch(config.url) with no SSRF protection. The safe wrapper fetchWithBlacklist() e…
- CVE-2026-48148MEDIUMCVSS 5.3EG 5.32026-05-27
Budibase is an open-source low-code platform. Prior to 3.35.3, the VectorDB configuration endpoint in Budibase accepts a host parameter that undergoes no validation against internal IP ranges, reserved hostnames, or URL schemes. Any authe…
- CVE-2026-48153HIGHCVSS 8.5EG 8.52026-05-27
Budibase is an open-source low-code platform. Prior to 3.39.0, fetchToken in the OAuth2 SDK makes a POST to a builder-supplied URL with plain node-fetch, skipping the blacklist.isBlacklisted check that every other outbound fetch path in th…
- CVE-2026-48203CRITICALCVSS 9.1EG 9.12026-07-06
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection'), Improper Input Validation, Server-Side Request Forgery (SSRF) vulnerability in Apache Camel Solr component. The camel-solr producer copies…
- CVE-2026-48205CRITICALCVSS 9.1EG 9.12026-07-06
Improper Input Validation, Server-Side Request Forgery (SSRF) vulnerability in Apache Camel DNS component. The camel-dns producers read DNS operation parameters - the resolver to query, the name or domain to look up, the record type and c…
- CVE-2026-48285HIGHCVSS 8.6EG 8.62026-06-30
ColdFusion versions 2025.9, 2023.20 and earlier are affected by a Server-Side Request Forgery (SSRF) vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures an…
- CVE-2026-48522MEDIUMCVSS 4.2EG 4.22026-05-28
PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, PyJWKClient passes its uri argument directly to urllib.request.urlopen() which uses Python stdlib's default OpenerDirector registering HTTPHandler, HTTPSHandler, FTPHandl…
- CVE-2026-48555HIGHCVSS 7.4EG 7.42026-05-29
Spatie Laravel Media Library before version 11.23.0 contains a server-side request forgery vulnerability that allows remote attackers to cause the server to issue arbitrary outbound HTTP requests by passing user-controlled URLs to the addM…
- CVE-2026-48737MEDIUMCVSS 4.9EG 4.92026-07-09
pyLoad: SSRF guard bypass via IPv6 6to4/NAT64 transition wrappers of internal IPs ## Summary `is_global_address` in [`src/pyload/core/utils/web/check.py`](https://github.com/pyload/pyload/blob/1b12dc7f348db8c144e0f39215680415e90ca4d2/src…
- CVE-2026-4874LOWCVSS 3.1EG 3.12026-03-26
A flaw was found in Keycloak. An authenticated attacker can perform Server-Side Request Forgery (SSRF) by manipulating the `client_session_host` parameter during refresh token requests. This occurs when a Keycloak client is configured to u…
- CVE-2026-48764HIGHCVSS 8.2EG 8.22026-06-18
TypeBot is a chatbot builder tool. In versions prior to 3.17.2, SSRF validation is implemented by resolving a hostname once and checking whether the resolved IP belongs to a forbidden range allowing for DNS rebinding bypass. The root cause…
- CVE-2026-48782MEDIUMCVSS 6.8EG 6.82026-06-17
Pydantic AI is a Python agent framework for building applications and workflows with Generative AI. In versions 1.56.0 through 1.101.0, 2.0.0b1, and 2.0.0b2, the cloud-metadata blocklist could be bypassed by encoding the metadata IP in an …
- CVE-2026-48818HIGHCVSS 7.5EG 7.52026-06-15
Starlette is a lightweight ASGI framework/toolkit. In versions 1.0.1 and earlier, StaticFiles on Windows is vulnerable to SSRF. An UNC path such as \\attacker.com\share can cause os.path.realpath to initiate an outbound SMB connection befo…
- CVE-2026-48843HIGHCVSS 7.2EG 7.22026-05-25
Roundcube Webmail 1.6.x between 1.6.14 and 1.6.16,and 1.7.x before 1.7.1 has Insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messages may lead to SSRF or Information Disclosure, e.g., if stylesheet links point to loca…
- CVE-2026-48858MEDIUMCVSS 6.5EG 6.52026-06-10
Server-Side Request Forgery (SSRF) vulnerability in Erlang/OTP ftp (ftp_internal module) allows FTP bounce attacks and SSRF via an unvalidated PASV response IP address. The ftp_internal:handle_ctrl_result/2 PASV handler (mode=passive, ipf…
- CVE-2026-48916MEDIUMCVSS 6.6EG 6.62026-05-27
Jenkins LDAP Plugin 807.v7d7de30930cf and earlier follows LDAP referrals.
- CVE-2026-48918MEDIUMCVSS 6.6EG 6.62026-05-27
Jenkins Active Directory Plugin 2.41 and earlier follows LDAP referrals by default.
- CVE-2026-48998MEDIUMCVSS 5.3EG 5.32026-06-11
guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. Versions prior to 2.10.2 contain improper Host header validation when parsing raw HTTP request messages and when deriving a server request URI from server variables. An…
- CVE-2026-4907MEDIUMCVSS 6.3EG 6.32026-03-27
A vulnerability was identified in Page-Replica Page Replica up to e4a7f52e75093ee318b4d5a9a9db6751050d2ad0. The impacted element is the function sitemap.fetch of the file /sitemap of the component Endpoint. The manipulation of the argument…
- CVE-2026-49093MEDIUMCVSS 6.3EG 6.32026-05-28
Server-Side Request Forgery (CWE-918) in Kibana can allow an authenticated user with connector management privileges to bypass the operator-configured connector allowlist, causing the Kibana server to issue outbound requests to destination…
- CVE-2026-49120HIGHCVSS 8.5EG 8.52026-06-02
Medplum before 5.1.14 contains a server-side request forgery vulnerability in the subscription worker that allows authenticated users to perform unauthorized internal network requests by creating FHIR Subscription resources with arbitrary …
- CVE-2026-49129MEDIUMCVSS 5.8EG 5.82026-05-28
Music Player Daemon (MPD) before version 0.24.11 contains a server-side request forgery vulnerability in CurlInputPlugin where CURLOPT_FOLLOWLOCATION is set without CURLOPT_REDIR_PROTOCOLS_STR, allowing unauthenticated attackers to bypass …
- CVE-2026-49138MEDIUMCVSS 5.0EG 5.02026-06-01
Nanobot prior to version 0.2.1 contains a server-side request forgery vulnerability in the web_fetch tool that allows remote attackers to reach internal or private network hosts by supplying a URL that redirects to a loopback or private ad…
- CVE-2026-49139HIGHCVSS 7.0EG 7.02026-06-01
Nanobot prior to version 0.2.1 contains a server-side request forgery vulnerability in the Microsoft Teams channel handler that allows remote attackers to exfiltrate Bot Framework bearer tokens by supplying a forged activity with an attack…
- CVE-2026-49213HIGHCVSS 8.1EG 8.12026-07-10
TypeBot is a chatbot builder tool. Prior to 3.17.2, Typebot's shared SSRF validator in packages/lib/src/ssrf/validateHttpReqUrl.ts can be bypassed with the IPv6 unspecified address :: because validateIPAddress blocks local, metadata, and p…
- CVE-2026-49328MEDIUMCVSS 5.3EG 5.32026-06-01
Server-Side Request Forgery (SSRF) in the UrlImageConverter component of Apache Fesod (Incubating) fesod-sheet before 2.0.2-incubating allows attackers to cause outbound network requests to internal or otherwise restricted resources via a …
- CVE-2026-49345MEDIUMCVSS 5.3EG 5.32026-06-19
Mercator is an open source web application that enables mapping of the information system. Prior to version 2025.05.19, a Server-Side Request Forgery (SSRF) vulnerability exists in Mercator's CVE configuration panel (`/admin/config/paramet…
- CVE-2026-49359MEDIUMCVSS 6.5EG 6.52026-06-19
PhpWeasyPrint is a PHP library allowing PDF generation from a URL or an HTML page. Prior to version 2.6.0, `pontedilana/php-weasyprint` fetches the content of option values server-side via `file_get_contents()` when the value looks like a …
- CVE-2026-49372HIGHCVSS 7.5EG 7.52026-05-29
In JetBrains TeamCity before 2026.1, 2025.11.5 unauthenticated SSRF via build status was possible
- CVE-2026-4953HIGHCVSS 7.3EG 7.32026-03-27
A weakness has been identified in mingSoft MCMS up to 5.5.0. This issue affects the function catchImage of the file net/mingsoft/cms/action/BaseAction.java of the component Editor Endpoint. Executing a manipulation of the argument catchima…
- CVE-2026-4964MEDIUMCVSS 6.3EG 6.32026-03-27
A security vulnerability has been detected in letta-ai letta 0.16.4. This vulnerability affects the function _convert_message_create_to_message of the file letta/helpers/message_helper.py of the component File URL Handler. Such manipulatio…
- CVE-2026-4979MEDIUMCVSS 5.0EG 5.02026-04-11
The UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP plugin for WordPress is vulnerable to blind Server-Side Request Forgery in all versions up to, and including, 1.2.58. This is due to in…
- CVE-2026-49859MEDIUMCVSS 5.2EG 5.22026-06-16
Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.8.1, when fetch() was called, Deno checked the destination hostname against --deny-net rules but did not re-check the IP addresses that hostname resolved to. An attacker…
- CVE-2026-49860MEDIUMCVSS 5.2EG 5.22026-06-16
Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.8.1, when a WebSocket connection was opened, Deno checked the destination hostname against --deny-net rules but did not re-check the IP addresses that hostname resolved …
- CVE-2026-49869CRITICALCVSS 10.0EG 10.02026-06-26
Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, AuthenticationFilter in Kestra OSS uses request.getPath().endsWith("/configs") to whitelist the public configuration endpoint from Basic Auth. Becau…
- CVE-2026-49876MEDIUMCVSS 6.5EG 0.02026-07-13
Authenticated SSRF in Gravitino JobManager allows server-side HTTP requests to internal network and cloud metadata endpoints via unvalidated job template URIs. A vulnerability in Apache Gravitino. This issue affects Apache Gravitino: from…
- CVE-2026-4989MEDIUMCVSS 4.3EG 4.32026-04-01
Improper input validation in the gateway health check feature in Devolutions Server allows a low-privileged authenticated user to perform server-side request forgery (SSRF), potentially leading to information disclosure, via a crafted API …
- CVE-2026-49969HIGHCVSS 7.4EG 7.42026-07-13
Laravel-Mediable before 7.0.0 contains a server-side request forgery vulnerability that allows remote attackers to issue arbitrary HTTP requests from the server by supplying unvalidated caller-controlled URLs to endpoints backed by MediaUp…
- CVE-2026-49979LOWCVSS 2.7EG 2.72026-06-24
Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 1.99, the POST /api/v1/admin/send-test-email endpoint accepts attacker-controlled smtpHost and smtpPort values and establishes a raw JavaMail TCP connec…
- CVE-2026-50127MEDIUMCVSS 5.9EG 5.92026-06-10
Weblate is a web based localization tool. From version 5.15 to before version 2026.6, Weblate's VCS_RESTRICT_PRIVATE did not properly account for some transitional IPv6 ranges, multicast addresses, or some semi-private IPv4 ranges, which a…
Map vulnerabilities like CWE-918 to your infrastructure
EchelonGraph correlates every CVE — across CWE-918 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →