Total
2086 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-41495 | 1 Clippercms | 1 Clippercms | 2025-05-15 | N/A | 9.8 CRITICAL |
|
ClipperCMS 1.3.3 was discovered to contain a Server-Side Request Forgery (SSRF) via the rss_url_news parameter at /manager/index.php.
|
|||||
| CVE-2022-42149 | 1 Keking | 1 Kkfileview | 2025-05-14 | N/A | 9.8 CRITICAL |
|
kkFileView 4.0 is vulnerable to Server-side request forgery (SSRF) via controller\OnlinePreviewController.java.
|
|||||
| CVE-2025-2170 | 1 Sonicwall | 2 Sma1000, Sma1000 Firmware | 2025-05-14 | N/A | 7.2 HIGH |
|
A Server-side request forgery (SSRF) vulnerability has been identified in the SMA1000 Appliance Work Place interface, which in specific conditions could potentially enable a remote unauthenticated attacker to cause the appliance to make requests to an unintended location.
|
|||||
| CVE-2022-41477 | 1 Webidsupport | 1 Webid | 2025-05-14 | N/A | 9.1 CRITICAL |
|
A security issue was discovered in WeBid <=1.2.2. A Server-Side Request Forgery (SSRF) vulnerability in the admin/theme.php file allows remote attackers to inject payloads via theme parameters to read files across directories.
|
|||||
| CVE-2024-10903 | 1 Managewp | 1 Broken Link Checker | 2025-05-14 | N/A | 4.7 MEDIUM |
|
The Broken Link Checker WordPress plugin before 2.4.2 does not validate a the link URLs before making a request to them, which could allow admin users to perform SSRF attack, for example on a multisite installation.
|
|||||
| CVE-2024-26476 | 1 Open-emr | 1 Openemr | 2025-05-13 | N/A | 3.5 LOW |
|
An issue in open-emr before v.7.0.2 allows a remote attacker to escalate privileges via a crafted script to the formid parameter in the ereq_form.php component.
|
|||||
| CVE-2025-0480 | 1 Wuzhicms | 1 Wuzhicms | 2025-05-13 | 4.0 MEDIUM | 4.3 MEDIUM |
|
A vulnerability classified as problematic has been found in wuzhicms 4.1.0. This affects the function test of the file coreframe/app/search/admin/config.php. The manipulation of the argument sphinxhost/sphinxport leads to server-side request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2025-47548 | 1 Wbcomdesigns | 1 Activity Link Preview For Buddypress | 2025-05-12 | N/A | 5.4 MEDIUM |
|
Server-Side Request Forgery (SSRF) vulnerability in Varun Dubey Wbcom Designs - Activity Link Preview For BuddyPress allows Server Side Request Forgery. This issue affects Wbcom Designs - Activity Link Preview For BuddyPress: from n/a through 1.4.4.
|
|||||
| CVE-2025-47635 | 1 Webinarpress | 1 Webinarpress | 2025-05-12 | N/A | 5.5 MEDIUM |
|
Server-Side Request Forgery (SSRF) vulnerability in WPWebinarSystem WebinarPress allows Server Side Request Forgery. This issue affects WebinarPress: from n/a through 1.33.27.
|
|||||
| CVE-2025-4012 | 1 Playeduos | 1 Playedu | 2025-05-12 | 3.3 LOW | 2.7 LOW |
|
A vulnerability was found in playeduxyz PlayEdu 开源培训系统 up to 1.8 and classified as problematic. This issue affects some unknown processing of the file /api/backend/v1/user/create of the component User Avatar Handler. The manipulation of the argument Avatar leads to server-side request forgery. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2024-30420 | 1 Appleple | 1 A-blog Cms | 2025-05-12 | N/A | 4.4 MEDIUM |
|
Server-side request forgery (SSRF) vulnerability exists in a-blog cms Ver.3.1.x series versions prior to Ver.3.1.12 and Ver.3.0.x series versions prior to Ver.3.0.32. If this vulnerability is exploited, a user with an administrator or higher privilege who can log in to the product may obtain arbitrary files on the server and information on the internal server that is not disclosed to the public.
|
|||||
| CVE-2022-3247 | 1 Adenion | 1 Blog2social | 2025-05-09 | N/A | 6.5 MEDIUM |
|
The Blog2Social: Social Media Auto Post & Scheduler WordPress plugin before 6.9.10 does not have authorisation in an AJAX action, and does not ensure that the URL to make a request to is an external one. As a result, any authenticated users, such as subscriber could perform SSRF attacks
|
|||||
| CVE-2023-7253 | 1 Importwp | 1 Import Wp | 2025-05-08 | N/A | 6.1 MEDIUM |
|
The Import WP WordPress plugin before 2.13.1 does not prevent users with the administrator role from pinging conducting SSRF attacks, which may be a problem in multisite configurations.
|
|||||
| CVE-2019-0227 | 2 Apache, Oracle | 37 Axis, Agile Engineering Data Management, Agile Product Lifecycle Management and 34 more | 2025-05-08 | 5.4 MEDIUM | 7.5 HIGH |
|
A Server Side Request Forgery (SSRF) vulnerability affected the Apache Axis 1.4 distribution that was last released in 2006. Security and bug commits commits continue in the projects Axis 1.x Subversion repository, legacy users are encouraged to build from source. The successor to Axis 1.x is Axis2, the latest version is 1.7.9 and is not vulnerable to this issue.
|
|||||
| CVE-2025-47483 | 2025-05-08 | N/A | 4.9 MEDIUM | ||
|
Server-Side Request Forgery (SSRF) vulnerability in Iulia Cazan Easy Replace Image allows Server Side Request Forgery. This issue affects Easy Replace Image: from n/a through 3.5.0.
|
|||||
| CVE-2025-47464 | 2025-05-08 | N/A | 4.9 MEDIUM | ||
|
Server-Side Request Forgery (SSRF) vulnerability in solacewp Solace Extra allows Server Side Request Forgery. This issue affects Solace Extra: from n/a through 1.3.1.
|
|||||
| CVE-2025-47484 | 2025-05-08 | N/A | 6.4 MEDIUM | ||
|
Server-Side Request Forgery (SSRF) vulnerability in Oliver Campion Display Remote Posts Block allows Server Side Request Forgery. This issue affects Display Remote Posts Block: from n/a through 1.1.0.
|
|||||
| CVE-2020-17386 | 1 Cellopoint | 1 Cellos | 2025-05-08 | 4.0 MEDIUM | 6.5 MEDIUM |
|
Cellopoint CelloOS v4.1.10 Build 20190922 does not validate URL inputted properly. With cookie of an authenticated user, attackers can temper with the URL parameter and access arbitrary file on system.
|
|||||
| CVE-2022-36451 | 1 Mitel | 1 Micollab | 2025-05-07 | N/A | 8.8 HIGH |
|
A vulnerability in the MiCollab Client server component of Mitel MiCollab through 9.5.0.101 could allow an authenticated attacker to conduct a Server-Side Request Forgery (SSRF) attack due to insufficient restriction of URL parameters. A successful exploit could allow an attacker to leverage connections and permissions available to the host server.
|
|||||
| CVE-2022-38580 | 1 Zalando | 1 Skipper | 2025-05-07 | N/A | 9.8 CRITICAL |
|
Zalando Skipper v0.13.236 is vulnerable to Server-Side Request Forgery (SSRF).
|
|||||
| CVE-2022-43776 | 1 Metabase | 1 Metabase | 2025-05-07 | N/A | 6.5 MEDIUM |
|
The url parameter of the /api/geojson endpoint in Metabase versions <44.5 can be used to perform Server Side Request Forgery attacks. Previously implemented blacklists could be circumvented by leveraging 301 and 302 redirects.
|
|||||
| CVE-2022-40296 | 1 Phppointofsale | 1 Php Point Of Sale | 2025-05-06 | N/A | 9.8 CRITICAL |
|
The application was vulnerable to a Server-Side Request Forgery attacks, allowing the backend server to interact with unexpected endpoints, potentially including internal and local services, leading to attacks in other downstream systems.
|
|||||
| CVE-2024-1812 | 1 Wpeverest | 1 Everest Forms | 2025-05-06 | N/A | 7.2 HIGH |
|
The Everest Forms plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.0.7 via the 'font_url' parameter. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
|
|||||
| CVE-2023-36661 | 2 Debian, Shibboleth | 2 Debian Linux, Xmltooling | 2025-05-05 | N/A | 7.5 HIGH |
|
Shibboleth XMLTooling before 3.2.4, as used in OpenSAML and Shibboleth Service Provider, allows SSRF via a crafted KeyInfo element. (This is fixed in, for example, Shibboleth Service Provider 3.4.1.3 on Windows.)
|
|||||
| CVE-2022-3708 | 1 Google | 1 Web Stories | 2025-05-05 | N/A | 9.6 CRITICAL |
|
The Web Stories plugin for WordPress is vulnerable to Server-Side Request Forgery in versions up to, and including 1.24.0 due to insufficient validation of URLs supplied via the 'url' parameter found via the /v1/hotlink/proxy REST API Endpoint. This makes it possible for authenticated users to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
|
|||||
| CVE-2021-37498 | 1 Reprisesoftware | 1 Reprise License Manager | 2025-04-30 | N/A | 6.5 MEDIUM |
|
An SSRF issue was discovered in Reprise License Manager (RLM) web interface through 14.2BL4 that allows remote attackers to trigger outbound requests to intranet servers, conduct port scans via the actserver parameter in License Activation function.
|
|||||
| CVE-2024-48951 | 1 Logpoint | 1 Siem | 2025-04-30 | N/A | 7.5 HIGH |
|
An issue was discovered in Logpoint before 7.5.0. Server-Side Request Forgery (SSRF) on SOAR can be used to leak Logpoint's API Token leading to authentication bypass.
|
|||||
| CVE-2025-31117 | 1 Open-emr | 1 Openemr | 2025-04-30 | N/A | 7.5 HIGH |
|
OpenEMR is a free and open source electronic health records and medical practice management application. An Out-of-Band Server-Side Request Forgery (OOB SSRF) vulnerability was identified in OpenEMR, allowing an attacker to force the server to make unauthorized requests to external or internal resources. this attack does not return a direct response but can be exploited through DNS or HTTP interactions to exfiltrate sensitive information. This vulnerability is fixed in 7.0.3.1.
|
|||||
| CVE-2022-42894 | 1 Siemens | 1 Syngo Dynamics Cardiovascular Imaging And Information System | 2025-04-30 | N/A | 7.5 HIGH |
|
A vulnerability has been identified in syngo Dynamics (All versions < VA40G HF01). An unauthenticated Server-Side Request Forgery (SSRF) vulnerability was identified in one of the web services exposed on the syngo Dynamics application that could allow for the leaking of NTLM credentials as well as local service enumeration.
|
|||||
| CVE-2022-43140 | 1 Keking | 1 Kkfileview | 2025-04-30 | N/A | 7.5 HIGH |
|
kkFileView v4.1.0 was discovered to contain a Server-Side Request Forgery (SSRF) via the component cn.keking.web.controller.OnlinePreviewController#getCorsFile. This vulnerability allows attackers to force the application to make arbitrary requests via injection of crafted URLs into the url parameter.
|
|||||
| CVE-2022-43183 | 1 Xuxueli | 1 Xxl-job | 2025-04-29 | N/A | 8.8 HIGH |
|
XXL-Job before v2.3.1 contains a Server-Side Request Forgery (SSRF) via the component /admin/controller/JobLogController.java.
|
|||||
| CVE-2022-40842 | 1 Ndk-design | 1 Ndkadvancedcustomizationfields | 2025-04-29 | N/A | 9.1 CRITICAL |
|
ndk design NdkAdvancedCustomizationFields 3.5.0 is vulnerable to Server-side request forgery (SSRF) via rotateimg.php.
|
|||||
| CVE-2022-45152 | 2 Fedoraproject, Moodle | 3 Extra Packages For Enterprise Linux, Fedora, Moodle | 2025-04-29 | N/A | 9.1 CRITICAL |
|
A blind Server-Side Request Forgery (SSRF) vulnerability was found in Moodle. This flaw exists due to insufficient validation of user-supplied input in LTI provider library. The library does not utilise Moodle's inbuilt cURL helper, which resulted in a blind SSRF risk. An attacker can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems. This vulnerability allows a remote attacker to perform SSRF attacks.
|
|||||
| CVE-2025-46511 | 2025-04-29 | N/A | 6.4 MEDIUM | ||
|
Server-Side Request Forgery (SSRF) vulnerability in Derek Springer BeerXML Shortcode allows Server Side Request Forgery. This issue affects BeerXML Shortcode: from n/a through 0.71.
|
|||||
| CVE-2025-46503 | 2025-04-29 | N/A | 4.9 MEDIUM | ||
|
Server-Side Request Forgery (SSRF) vulnerability in josheli Simple Google Photos Grid allows Server Side Request Forgery. This issue affects Simple Google Photos Grid: from n/a through 1.5.
|
|||||
| CVE-2025-46531 | 2025-04-29 | N/A | 4.9 MEDIUM | ||
|
Server-Side Request Forgery (SSRF) vulnerability in Ankur Vishwakarma WP AVCL Automation Helper (formerly WPFlyLeads) allows Server Side Request Forgery. This issue affects WP AVCL Automation Helper (formerly WPFlyLeads): from n/a through 3.4.
|
|||||
| CVE-2025-46443 | 2025-04-29 | N/A | 4.9 MEDIUM | ||
|
Server-Side Request Forgery (SSRF) vulnerability in Adam Pery Animate allows Server Side Request Forgery. This issue affects Animate: from n/a through 0.5.
|
|||||
| CVE-2024-33864 | 2 Linqi, Microsoft | 2 Linqi, Windows | 2025-04-28 | N/A | 5.9 MEDIUM |
|
An issue was discovered in linqi before 1.4.0.1 on Windows. There is SSRF via Document template generation; i.e., via remote images in process creation, file inclusion, and PDF document generation via malicious JavaScript.
|
|||||
| CVE-2025-29449 | 1 Lm21 | 1 Twonav | 2025-04-25 | N/A | 6.5 MEDIUM |
|
An issue in twonav v.2.1.18-20241105 allows a remote attacker to obtain sensitive information via the link identification function.
|
|||||
| CVE-2025-29460 | 1 Mybb | 1 Mybb | 2025-04-25 | N/A | 7.6 HIGH |
|
An issue in MyBB 1.8.38 allows a remote attacker to obtain sensitive information via the Add Mycode function. NOTE: the Supplier disputes this because of the allowed actions of Board administrators and because of SSRF mitigation.
|
|||||