CWE-918— Server-Side Request Forgery (SSRF)
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.— MITRE CWE catalog
2,688 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-918page 51 of 54
- CVE-2026-50131HIGHCVSS 8.6EG 8.62026-06-10
Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Fedify previously addressed SSRF/internal network access in GHSA-p9cg-vqcc-grcx by adding public URL validation before runtime document and media fet…
- CVE-2026-50134MEDIUMCVSS 5.8EG 5.82026-06-16
Hugo is a static site generator. From 0.91.0 until 0.162.0, resources.GetRemote enforces security.http.urls on the URL it is called with, but it did not re-validate intermediate URLs on HTTP 3xx redirects. An allowed server (or an attacker…
- CVE-2026-5016HIGHCVSS 7.3EG 7.32026-03-28
A vulnerability was identified in elecV2 elecV2P up to 3.8.3. This affects the function eAxios of the file /mock of the component URL Handler. Such manipulation of the argument req leads to server-side request forgery. It is possible to la…
- CVE-2026-50168HIGHCVSS 8.2EG 8.22026-06-15
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23, an issue in the @angular/platform-server package allow…
- CVE-2026-50189HIGHCVSS 7.2EG 7.22026-06-24
Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 2.1, Appsmith's bundled supervisord exposes an XML-RPC interface on port 9001, reachable from outside the container via a Caddy reverse-proxy route at /…
- CVE-2026-50221MEDIUMCVSS 5.4EG 5.42026-06-23
In OpenStack Swift before 2.37.2, proxy-server does not strip internal update headers (X-Container-Host, X-Container-Device, X-Delete-At-Host, X-Delete-At-Device) from client requests before forwarding them to object-servers. An authentica…
- CVE-2026-5052MEDIUMCVSS 5.3EG 5.32026-04-17
Vault’s PKI engine’s ACME validation did not reject local targets when issuing http-01 and tls-alpn-01 challenges. This may lead to these requests being sent to local network targets, potentially leading to information disclosure. Fixe…
- CVE-2026-50552MEDIUMCVSS 6.3EG 6.32026-06-12
Koel is a free, open-source music streaming solution. Prior to version 9.7.1, Koel contains a Server-Side Request Forgery (SSRF) vulnerability in the radio station creation endpoint (POST /api/radio/stations). The url field validation rule…
- CVE-2026-50887CRITICALCVSS 9.1EG 9.12026-06-15
A Server-Side Request Forgery (SSRF) in the automatic short URL title resolution component of shlink v5.0.1 allows attackers to scan internal resources via supplying a crafted longUrl.
- CVE-2026-50888HIGHCVSS 8.1EG 8.12026-06-15
An authenticated Server-Side Request Forgery (SSRF) in the custom scraper subsystem component of Benjamin Jonard Koillection v1.8.0 allows attackers to scan internal resources via supplying a crafted URL.
- CVE-2026-5126MEDIUMCVSS 6.3EG 6.32026-03-30
A flaw has been found in SourceCodester RSS Feed Parser 1.0. Affected by this issue is the function file_get_contents. This manipulation causes server-side request forgery. The attack is possible to be carried out remotely. The exploit has…
- CVE-2026-5131MEDIUMCVSS 6.9EG 6.92026-04-17
GREENmod uses named pipes for communication between plugins, the web portal, and the system service, but the access control lists for these pipes are configured incorrectly. This allows an attacker to communicate with the stream and upload…
- CVE-2026-5205MEDIUMCVSS 6.3EG 6.32026-03-31
A vulnerability was identified in chatwoot up to 4.11.2. Affected by this vulnerability is the function Webhooks::Trigger in the library lib/webhooks/trigger.rb of the component Webhook API. Such manipulation of the argument url leads to s…
- CVE-2026-5259MEDIUMCVSS 6.3EG 6.32026-04-01
A vulnerability was determined in AutohomeCorp frostmourne up to 1.0. The affected element is an unknown function of the file frostmourne-monitor/src/main/java/com/autohome/frostmourne/monitor/controller/AlarmController.java of the compone…
- CVE-2026-52805HIGHCVSS 8.7EG 8.72026-06-23
Gogs is an open source self-hosted Git service. Prior to 0.14.3, a Server-Side Request Forgery (SSRF) vulnerability exists in the repository migration functionality. The application validates only the initially submitted URL hostname, but …
- CVE-2026-5323MEDIUMCVSS 5.3EG 5.32026-04-02
A vulnerability was found in priyankark a11y-mcp up to 1.0.5. This vulnerability affects the function A11yServer of the file src/index.js. The manipulation results in server-side request forgery. The attack must be initiated from a local p…
- CVE-2026-53450HIGHCVSS 7.4EG 7.42026-07-10
Coturn is a free open source implementation of TURN and STUN Server. Prior to 4.13.0, coturn rejects loopback peers by default unless allow-loopback-peers is enabled, but the default loopback guard can be bypassed by using the IPv4-mapped …
- CVE-2026-5346HIGHCVSS 7.3EG 7.32026-04-02
A vulnerability was determined in huimeicloud hm_editor up to 2.2.3. Impacted is the function client.get of the file src/mcp-server.js of the component image-to-base64 Endpoint. Executing a manipulation of the argument url can lead to serv…
- CVE-2026-53607LOWCVSS 3.7EG 3.72026-06-12
ApostropheCMS is an open-source Node.js content management system. In versions up to and including 4.30.0, when `prettyUrls: true` is enabled on `@apostrophecms/file` (a documented SEO feature for serving uploaded files at clean URLs), the…
- CVE-2026-53754HIGHCVSS 7.5EG 7.52026-06-16
Crawl4AI is an open-source LLM friendly web crawler & scraper. Prior to 0.8.8, the Docker API server's SSRF protection (validate_webhook_url / validate_url_destination in deploy/docker/utils.py) used an explicit IPv4/IPv6 CIDR blocklist th…
- CVE-2026-53755HIGHCVSS 7.5EG 7.52026-06-16
Crawl4AI is an open-source LLM friendly web crawler & scraper. Prior to 0.8.9, the Docker API server applied its SSRF destination check to the crawl target URL only, not to the proxy address. An unauthenticated request could supply a proxy…
- CVE-2026-53782HIGHCVSS 7.4EG 7.42026-06-11
Summarize before 0.17.0 contains a server-side request forgery vulnerability that allows attackers who control a podcast RSS feed to direct the host to fetch transcript content from loopback addresses, link-local addresses, RFC 1918 privat…
- CVE-2026-53812HIGHCVSS 7.7EG 7.72026-06-11
OpenClaw before 2026.5.18 contains a server-side request forgery vulnerability in browser control that allows authenticated users to bypass private-network navigation checks through Playwright act interactions. Attackers can trigger naviga…
- CVE-2026-53827MEDIUMCVSS 6.5EG 6.52026-06-12
OpenClaw before 2026.5.2 contains a credential exposure vulnerability in message.action forwarding that allows model-controlled metadata to forward action payloads with Gateway credentials to attacker-supplied loopback URLs. Remote attacke…
- CVE-2026-53859MEDIUMCVSS 6.5EG 6.52026-06-16
OpenClaw before 2026.5.26 contains a hostname validation vulnerability allowing attackers to bypass blocklist comparisons using trailing-dot notation in model or workspace-derived URLs. Attackers can exploit inconsistent hostname checks to…
- CVE-2026-53927MEDIUMCVSS 5.1EG 5.12026-06-17
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the spreadsheet-fetch endpoint (axiosRequestMake) accepted URLs whose path contained a permitted extension anywhere in the string, and applied a hand-rolled reg…
- CVE-2026-53930MEDIUMCVSS 5.1EG 5.12026-06-17
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the base-migration endpoint accepted a caller-supplied URL that the migration worker dereferenced without enforcing protocol or destination, allowing scheme abu…
- CVE-2026-53931MEDIUMCVSS 6.9EG 6.92026-06-17
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the spreadsheet-import endpoint axiosRequestMake could be used as a generic HTTP proxy. Before the fix it was reachable unauthenticated, and its URL-extension a…
- CVE-2026-53944MEDIUMCVSS 5.8EG 5.82026-06-24
Ghost is a Node.js content management system. From 6.0.9 until 6.21.1, when making an external request, it is possible to bypass the IP filter that ensures the request isn't going to an internal service using an IPv6 literal which maps to …
- CVE-2026-53945MEDIUMCVSS 4.0EG 4.02026-06-24
Ghost is a Node.js content management system. From 6.0.9 until 6.21.1, Ghost’s private-IP check for outbound HTTP requests could be bypassed via DNS rebinding, allowing an attacker to coerce the Ghost server into reaching hosts on intern…
- CVE-2026-53946MEDIUMCVSS 5.4EG 5.42026-06-24
Ghost is a Node.js content management system. From 6.19.4 until 6.21.1, when re-rendering posts, Ghost would refetch missing image dimensions by issuing an outbound HTTP request to the URL stored on an image card — without restricting th…
- CVE-2026-54008HIGHCVSS 8.5EG 8.52026-06-17
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, backend/open_webui/utils/oauth.py::_process_picture_url calls validate_url(picture_url) on the initial URL only, then invoke…
- CVE-2026-54017HIGHCVSS 7.7EG 7.72026-06-17
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, the terminal-server reverse proxy in `backend/open_webui/routers/terminals.py` does not fully confine the user-controlled `p…
- CVE-2026-54018HIGHCVSS 7.7EG 7.72026-06-17
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, the SafePlaywrightURLLoader implements a validate_url function to prevent SSRF attacks by checking the IP address of the use…
- CVE-2026-54033MEDIUMCVSS 6.5EG 6.52026-06-25
LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.4-rc1, LibreChat allows users to configure custom OpenAI-compatible API endpoints by setting a baseURL. This URL is used to construct HTTP requests wi…
- CVE-2026-54157CRITICALCVSS 9.0EG 9.02026-06-16
LobeHub is a work-and-lifestyle space to find, build, and collaborate with agent teammates that grow with you. Prior to 2.1.57, the /webapi/proxy endpoint on app.lobehub.com accepts a URL in the POST body and fetches it server-side without…
- CVE-2026-5417MEDIUMCVSS 4.7EG 4.72026-04-02
A vulnerability was determined in Dataease SQLbot up to 1.6.0. This issue affects the function get_es_data_by_http of the file backend/apps/db/es_engine.py of the component Elasticsearch Handler. This manipulation of the argument address c…
- CVE-2026-5418HIGHCVSS 7.3EG 7.32026-04-02
A vulnerability was identified in appsmithorg appsmith up to 1.97. Impacted is the function computeDisallowedHosts of the file app/server/appsmith-interfaces/src/main/java/com/appsmith/util/WebClientUtils.java of the component Dashboard. S…
- CVE-2026-54299HIGHCVSS 7.5EG 7.52026-06-16
Astro is a web framework. Prior to 6.4.6, Astro SSR apps with prerendered error pages (/404 or /500 using export const prerender = true) fetch those pages over HTTP at runtime when an error occurs. The URL for this fetch is derived from re…
- CVE-2026-54300MEDIUMCVSS 5.3EG 5.32026-06-16
@astrojs/netlify is an adapter that allows Astro to deploy your hybrid or server rendered site to Netlify. Prior to 7.0.13, @astrojs/netlify converts Astro image.remotePatterns into Netlify Image CDN images.remote_images regular expression…
- CVE-2026-54353HIGHCVSS 7.1EG 7.12026-06-22
Budibase is an open-source low-code platform. Prior to 3.39.9, authenticated users with automation permissions can bypass Budibase's SSRF blacklist through DNS rebinding. The outbound fetch flow validates a hostname against the blacklist b…
- CVE-2026-54401HIGHCVSS 8.8EG 7.72026-07-02
A malicious actor with access to the network and low privileges could exploit a Server-Side Request Forgery (SSRF) to escalate privileges within such UniFi OS devices or instances.
- CVE-2026-54430MEDIUMCVSS 5.1EG 5.12026-07-02
liboauth2 is vulnerable to Server-Side Request Forgery in oauth2_jose_jwks_aws_alb_resolve() function. The AWS ALB verifier reads both signer and kid from the unverified JWT header. If signer matches the configured ARN, kid is appended t…
- CVE-2026-54514MEDIUMCVSS 5.3EG 5.32026-06-23
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.0.0 until 2.18.8, 2.21.4, and 3.1.4, JDKFromStringDeserializer constructed InetSocketAddress with new InetSocketAddr…
- CVE-2026-54607HIGHCVSS 7.7EG 7.72026-07-07
FastGPT is a knowledge-based AI application platform. Prior to 4.15.0-beta4, the HTTP-tool OpenAPI schema importer validates only the top-level URL before passing it to SwaggerParser.bundle, whose remote reference resolver fetches $ref URL…
- CVE-2026-5469MEDIUMCVSS 4.7EG 4.72026-04-03
A weakness has been identified in Casdoor 2.356.0. This vulnerability affects unknown code of the component Webhook URL Handler. Executing a manipulation can lead to server-side request forgery. The attack can be launched remotely. The ven…
- CVE-2026-5470MEDIUMCVSS 6.3EG 6.32026-04-03
A security vulnerability has been detected in mixelpixx Google-Research-MCP 1e062d7bd887bfe5f6e582b6cc288bb897b35cf2/ca613b736ab787bc926932f59cddc69457185a83. This issue affects the function extractContent of the file src/services/content-…
- CVE-2026-55113HIGHCVSS 7.5EG 7.52026-07-02
A malicious actor with access to the network could exploit a Server-Side Request Forgery (SSRF) vulnerability found in UniFi Talk Application to execute a Denial of Service (DoS) attack and bypass authentication in certain UniFi Talk API e…
- CVE-2026-55115CRITICALCVSS 9.9EG 9.92026-07-02
A malicious actor with access to the network and low privileges could exploit a Server-Side Request Forgery (SSRF) in UniFi Protect Application to escalate privileges on the host device.
- CVE-2026-55187MEDIUMCVSS 5.8EG 5.82026-06-19
Mailpit is an email testing tool and API for developers. Prior to 1.30.2, the remediation shipped for CVE-2026-27808 is incomplete because the tools.IsInternalIP deny-list in internal/tools/net.go relies on Go's standard library classifica…
Map vulnerabilities like CWE-918 to your infrastructure
EchelonGraph correlates every CVE — across CWE-918 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →