CWE-918
AllowedServer-Side Request Forgery (SSRF)
Abstraction: Base · Status: Incomplete
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
4615 vulnerabilities reference this CWE, most recent first.
CVE-2026-41129 (GCVE-0-2026-41129)
Vulnerability from cvelistv5 – Published: 2026-04-21 23:34 – Updated: 2026-04-22 18:11- CWE-918 - Server-Side Request Forgery (SSRF)
| URL | Tags |
|---|---|
| https://github.com/craftcms/cms/security/advisori… | x_refsource_CONFIRM |
| https://github.com/craftcms/cms/commit/d20aecfaa0… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41129",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-22T17:52:52.342137Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T18:11:08.699Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "cms",
"vendor": "craftcms",
"versions": [
{
"status": "affected",
"version": "\u003e= 5.0.0-RC1, \u003c 5.9.15"
},
{
"status": "affected",
"version": "\u003e= 4.0.0-RC1, \u003c 4.17.9"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Craft CMS is a content management system (CMS). Versions on the 4.x branch through 4.17.8 and the 5.x branch through 5.9.14 are vulnerable to Server-Side Request Forgery. The exploitation requires a few permissions to be enabled in the used GraphQL schema: \"Edit assets in the \u003cVolumeName\u003e volume\" and \"Create assets in the \u003cVolumeName\u003e volume.\" Versions 4.17.9 and 5.9.15 patch the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-21T23:34:56.801Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/craftcms/cms/security/advisories/GHSA-3m9m-24vh-39wx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/craftcms/cms/security/advisories/GHSA-3m9m-24vh-39wx"
},
{
"name": "https://github.com/craftcms/cms/commit/d20aecfaa0eae076c4154be3b17e1f9fa05ce46f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/cms/commit/d20aecfaa0eae076c4154be3b17e1f9fa05ce46f"
}
],
"source": {
"advisory": "GHSA-3m9m-24vh-39wx",
"discovery": "UNKNOWN"
},
"title": "Craft CMS has Server-Side Request Forgery (SSRF) with Asset Uploads Mutations"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-41129",
"datePublished": "2026-04-21T23:34:56.801Z",
"dateReserved": "2026-04-17T12:59:15.737Z",
"dateUpdated": "2026-04-22T18:11:08.699Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41105 (GCVE-0-2026-41105)
Vulnerability from cvelistv5 – Published: 2026-05-07 20:58 – Updated: 2026-06-19 16:13 Exclusively Hosted Service- CWE-918 - Server-Side Request Forgery (SSRF)
| URL | Tags |
|---|---|
| https://msrc.microsoft.com/update-guide/vulnerabi… | vendor-advisorypatch |
| Vendor | Product | Version | |
|---|---|---|---|
| Microsoft | Azure Monitor Action Group notification system |
Affected:
-
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41105",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-09T03:56:08.287102Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-10T14:30:30.570Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Azure Monitor Action Group notification system",
"vendor": "Microsoft",
"versions": [
{
"status": "affected",
"version": "-"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:microsoft:azure_monitor_action_group_notification_system:*:*:*:*:*:*:*:*",
"versionStartIncluding": "-",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"datePublic": "2026-05-07T14:00:00.000Z",
"descriptions": [
{
"lang": "en-US",
"value": "Server-side request forgery (ssrf) in Azure Notification Service allows an authorized attacker to elevate privileges over a network."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-19T16:13:17.695Z",
"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"shortName": "microsoft"
},
"references": [
{
"name": "Azure Monitor Action Group Notification System Elevation of Privilege Vulnerability",
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41105"
}
],
"tags": [
"exclusively-hosted-service"
],
"title": "Azure Monitor Action Group Notification System Elevation of Privilege Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"assignerShortName": "microsoft",
"cveId": "CVE-2026-41105",
"datePublished": "2026-05-07T20:58:47.705Z",
"dateReserved": "2026-04-16T19:12:36.195Z",
"dateUpdated": "2026-06-19T16:13:17.695Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41060 (GCVE-0-2026-41060)
Vulnerability from cvelistv5 – Published: 2026-04-21 22:44 – Updated: 2026-04-22 14:02- CWE-918 - Server-Side Request Forgery (SSRF)
| URL | Tags |
|---|---|
| https://github.com/WWBN/AVideo/security/advisorie… | x_refsource_CONFIRM |
| https://github.com/WWBN/AVideo/commit/a0156a63983… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41060",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-22T14:01:31.813912Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T14:02:06.458Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-j432-4w3j-3w8j"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "AVideo",
"vendor": "WWBN",
"versions": [
{
"status": "affected",
"version": "\u003c= 29.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "WWBN AVideo is an open source video platform. In versions 29.0 and below, the `isSSRFSafeURL()` function in `objects/functions.php` contains a same-domain shortcircuit (lines 4290-4296) that allows any URL whose hostname matches `webSiteRootURL` to bypass all SSRF protections. Because the check compares only the hostname and ignores the port, an attacker can reach arbitrary ports on the AVideo server by using the site\u0027s public hostname with a non-standard port. The response body is saved to a web-accessible path, enabling full exfiltration. Commit a0156a6398362086390d949190f9d52a823000ba fixes the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-21T22:44:44.461Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-j432-4w3j-3w8j",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-j432-4w3j-3w8j"
},
{
"name": "https://github.com/WWBN/AVideo/commit/a0156a6398362086390d949190f9d52a823000ba",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/WWBN/AVideo/commit/a0156a6398362086390d949190f9d52a823000ba"
}
],
"source": {
"advisory": "GHSA-j432-4w3j-3w8j",
"discovery": "UNKNOWN"
},
"title": "AVideo\u0027s SSRF via same-domain hostname with alternate port bypasses isSSRFSafeURL"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-41060",
"datePublished": "2026-04-21T22:44:44.461Z",
"dateReserved": "2026-04-16T16:43:03.173Z",
"dateUpdated": "2026-04-22T14:02:06.458Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41055 (GCVE-0-2026-41055)
Vulnerability from cvelistv5 – Published: 2026-04-21 22:25 – Updated: 2026-04-22 14:00- CWE-918 - Server-Side Request Forgery (SSRF)
| URL | Tags |
|---|---|
| https://github.com/WWBN/AVideo/security/advisorie… | x_refsource_CONFIRM |
| https://github.com/WWBN/AVideo/security/advisorie… | x_refsource_MISC |
| https://github.com/WWBN/AVideo/commit/0e56382921f… | x_refsource_MISC |
| https://github.com/WWBN/AVideo/commit/8d8fc0cadb4… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41055",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-22T14:00:09.342567Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T14:00:50.623Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-793q-xgj6-7frp"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "AVideo",
"vendor": "WWBN",
"versions": [
{
"status": "affected",
"version": "\u003c 26.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "WWBN AVideo is an open source video platform. In versions 29.0 and below, an incomplete SSRF fix in AVideo\u0027s LiveLinks proxy adds `isSSRFSafeURL()` validation but leaves DNS TOCTOU vulnerabilities where DNS rebinding between validation and the actual HTTP request redirects traffic to internal endpoints. Commit 8d8fc0cadb425835b4861036d589abcea4d78ee8 contains an updated fix."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-21T22:35:27.054Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-793q-xgj6-7frp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-793q-xgj6-7frp"
},
{
"name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-9x67-f2v7-63rw",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-9x67-f2v7-63rw"
},
{
"name": "https://github.com/WWBN/AVideo/commit/0e56382921fc71e64829cd1ec35f04e338c70917",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/WWBN/AVideo/commit/0e56382921fc71e64829cd1ec35f04e338c70917"
},
{
"name": "https://github.com/WWBN/AVideo/commit/8d8fc0cadb425835b4861036d589abcea4d78ee8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/WWBN/AVideo/commit/8d8fc0cadb425835b4861036d589abcea4d78ee8"
}
],
"source": {
"advisory": "GHSA-793q-xgj6-7frp",
"discovery": "UNKNOWN"
},
"title": "AVideo has an incomplete fix for CVE-2026-33039 (SSRF)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-41055",
"datePublished": "2026-04-21T22:25:45.488Z",
"dateReserved": "2026-04-16T16:43:03.172Z",
"dateUpdated": "2026-04-22T14:00:50.623Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40999 (GCVE-0-2026-40999)
Vulnerability from cvelistv5 – Published: 2026-06-11 05:04 – Updated: 2026-06-23 19:52- CWE-918 - Server-Side Request Forgery (SSRF)
| Vendor | Product | Version | |
|---|---|---|---|
| Spring | Spring Web Services |
Affected:
5.0.0 , < 5.0.1.1
(custom)
Affected: 4.1.0 , < 4.1.3.1 (custom) Affected: 4.0.0 , < 4.0.19 (custom) Affected: 3.1.0 , < 3.1.9 (custom) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40999",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-11T15:06:46.401478Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T16:13:51.035Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Spring Web Services",
"vendor": "Spring",
"versions": [
{
"lessThan": "5.0.1.1",
"status": "affected",
"version": "5.0.0",
"versionType": "custom"
},
{
"lessThan": "4.1.3.1",
"status": "affected",
"version": "4.1.0",
"versionType": "custom"
},
{
"lessThan": "4.0.19",
"status": "affected",
"version": "4.0.0",
"versionType": "custom"
},
{
"lessThan": "3.1.9",
"status": "affected",
"version": "3.1.0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "When WS-Addressing is used with non-anonymous ReplyTo or FaultTo addresses, Spring WS may initiate outbound connections through configured WebServiceMessageSender instances to destinations taken directly from request headers without verifying that those destinations are safe to connect to.\n\nAffected versions:\nSpring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8."
}
],
"value": "When WS-Addressing is used with non-anonymous ReplyTo or FaultTo addresses, Spring WS may initiate outbound connections through configured WebServiceMessageSender instances to destinations taken directly from request headers without verifying that those destinations are safe to connect to.\n\nAffected versions:\nSpring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "A remote attacker can supply crafted WS-Addressing ReplyTo or FaultTo headers that cause the server to initiate outbound connections to internal-only hosts, cloud metadata endpoints, or other sensitive destinations."
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-23T19:52:42.934Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "https://spring.io/security/cve-2026-40999"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Spring WS SSRF via unvalidated WS-Addressing reply destinations",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2026-40999",
"datePublished": "2026-06-11T05:04:17.009Z",
"dateReserved": "2026-04-16T02:19:12.970Z",
"dateUpdated": "2026-06-23T19:52:42.934Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40566 (GCVE-0-2026-40566)
Vulnerability from cvelistv5 – Published: 2026-04-21 16:04 – Updated: 2026-04-21 17:33- CWE-918 - Server-Side Request Forgery (SSRF)
| URL | Tags |
|---|---|
| https://github.com/freescout-help-desk/freescout/… | x_refsource_CONFIRM |
| https://github.com/freescout-help-desk/freescout/… | x_refsource_MISC |
| https://github.com/freescout-help-desk/freescout/… | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| freescout-help-desk | freescout |
Affected:
< 1.8.213
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40566",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-21T17:33:06.910770Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-21T17:33:11.528Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-fg98-rgx6-8x4g"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "freescout",
"vendor": "freescout-help-desk",
"versions": [
{
"status": "affected",
"version": "\u003c 1.8.213"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FreeScout is a free self-hosted help desk and shared mailbox. Versions prior to 1.8.213 have a Server-Side Request Forgery (SSRF) vulnerability in the IMAP/SMTP connection test functionality of FreeScout\u0027s `MailboxesController`. Three AJAX actions `fetch_test` (line 731), `send_test` (line 682), and `imap_folders` (line 773) in `app/Http/Controllers/MailboxesController.php` pass admin-configured `in_server`/`in_port` and `out_server`/`out_port` values directly to `fsockopen()` via `Helper::checkPort()` and to IMAP/SMTP client connections with zero SSRF protection. There is no IP validation, no hostname restriction, no blocklist of internal ranges, and no call to the project\u0027s own `sanitizeRemoteUrl()` or `checkUrlIpAndHost()` functions. The validation block in `connectionIncomingSave()` is entirely commented out. An authenticated admin can configure a mailbox\u0027s IMAP or SMTP server to point at any internal host and port, then trigger a connection test. The server opens raw TCP connections (via `fsockopen()`) and protocol-level connections (via IMAP client or SMTP transport) to the attacker-specified target. The response differentiates open from closed ports, enabling internal network port scanning. When the IMAP client connects to a non-IMAP service, the target\u0027s service banner or error response is captured in the IMAP debug log and returned in the AJAX response\u0027s `log` field, making this a semi-blind SSRF that enables service fingerprinting. In cloud environments, the metadata endpoint at `169[.]254[.]169[.]254` can be probed and partial response data may be leaked through protocol error messages. This is distinct from the `sanitizeRemoteUrl()` redirect bypass (freescout-3) -- different code path, different root cause, different protocol layer. Version 1.8.213 patches the vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-21T16:04:35.587Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-fg98-rgx6-8x4g",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-fg98-rgx6-8x4g"
},
{
"name": "https://github.com/freescout-help-desk/freescout/commit/efe82e31b4a0d4c0b20025d09df0615e8139ff08",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/freescout-help-desk/freescout/commit/efe82e31b4a0d4c0b20025d09df0615e8139ff08"
},
{
"name": "https://github.com/freescout-help-desk/freescout/releases/tag/1.8.213",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/freescout-help-desk/freescout/releases/tag/1.8.213"
}
],
"source": {
"advisory": "GHSA-fg98-rgx6-8x4g",
"discovery": "UNKNOWN"
},
"title": "FreeScout vulnerable to SSRF via IMAP/SMTP Connection Test Endpoints"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-40566",
"datePublished": "2026-04-21T16:04:35.587Z",
"dateReserved": "2026-04-14T13:24:29.474Z",
"dateUpdated": "2026-04-21T17:33:11.528Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40564 (GCVE-0-2026-40564)
Vulnerability from cvelistv5 – Published: 2026-05-26 14:38 – Updated: 2026-06-02 14:12| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Flink Kubernetes Operator |
Affected:
1.3.0 , < 1.15.0
(semver)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-05-26T16:18:03.659Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/26/6"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-40564",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-02T14:11:43.962546Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T14:12:08.938Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Flink Kubernetes Operator",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "1.15.0",
"status": "affected",
"version": "1.3.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Andrea Cosentino"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Andrea Cosentino"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eFiles or Directories Accessible to External Parties, Server-Side Request Forgery (SSRF) vulnerability in Apache Flink Kubernetes Operator.\u003c/p\u003eThe FlinkSessionJob jarURI is currently not validated so that it points to user-owned files or addresses.\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;This lets a user with CR create permissions read files from the operator pod\u0027s filesystem and pull content from any backing store reachable through Flink\u0027s pluggable filesystem layer \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eand access them through the submitted Flink job\u003c/span\u003e. Furthermore for fetching from http/https addresses\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ethere is currently no allowlist on the URI scheme, no host check, no IP-range restriction, and no protection against pointing the URI at internal or link-local addresses.\u003c/span\u003e\u003c/span\u003e\u003cdiv\u003e\u003cp\u003eThis issue affects Apache Flink Kubernetes Operator: from 1.3.0 before 1.15.0.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 1.15.0, which fixes the issue.\u003c/p\u003e\u003c/div\u003e"
}
],
"value": "Files or Directories Accessible to External Parties, Server-Side Request Forgery (SSRF) vulnerability in Apache Flink Kubernetes Operator.\n\nThe FlinkSessionJob jarURI is currently not validated so that it points to user-owned files or addresses.\u00a0\u00a0This lets a user with CR create permissions read files from the operator pod\u0027s filesystem and pull content from any backing store reachable through Flink\u0027s pluggable filesystem layer and access them through the submitted Flink job. Furthermore for fetching from http/https addresses\u00a0there is currently no allowlist on the URI scheme, no host check, no IP-range restriction, and no protection against pointing the URI at internal or link-local addresses.This issue affects Apache Flink Kubernetes Operator: from 1.3.0 before 1.15.0.\n\nUsers are recommended to upgrade to version 1.15.0, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-552",
"description": "CWE-552 Files or Directories Accessible to External Parties",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T14:38:21.937Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/jvxs2kh2o60sl7qkl5nss4r5phzfl4cz"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache Flink Kubernetes Operator: Server-Side Request Forgery and local file access in Kubernetes Operator",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2026-40564",
"datePublished": "2026-05-26T14:38:21.937Z",
"dateReserved": "2026-04-14T12:59:12.603Z",
"dateUpdated": "2026-06-02T14:12:08.938Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40516 (GCVE-0-2026-40516)
Vulnerability from cvelistv5 – Published: 2026-04-17 16:02 – Updated: 2026-07-14 20:00- CWE-918 - Server-Side Request Forgery (SSRF)
| URL | Tags |
|---|---|
| https://github.com/HKUDS/OpenHarness/pull/92 | issue-tracking |
| https://github.com/HKUDS/OpenHarness/commit/bd4df… | patch |
| https://www.vulncheck.com/advisories/openharness-… | third-party-advisory |
| Vendor | Product | Version | |
|---|---|---|---|
| HKUDS | OpenHarness |
Affected:
0 , < bd4df81f634f8c7cddcc3fdf7f561a13dcbf03ae
(git)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40516",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-17T16:27:07.696134Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-17T16:27:11.780Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/HKUDS/OpenHarness/pull/92"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageURL": "pkg:github/HKUDS/OpenHarness",
"product": "OpenHarness",
"repo": "https://github.com/HKUDS/OpenHarness",
"vendor": "HKUDS",
"versions": [
{
"lessThan": "bd4df81f634f8c7cddcc3fdf7f561a13dcbf03ae",
"status": "affected",
"version": "0",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:hkuds:openharness:*:*:*:*:*:*:*:*",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Chia Min Jun Lennon"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "OpenHarness before commit\u0026nbsp;bd4df81 contains a server-side request forgery vulnerability in the web_fetch and web_search tools that allows attackers to access private and localhost HTTP services by manipulating tool parameters without proper validation of target addresses. Attackers can influence an agent session to invoke these tools against loopback, RFC1918, link-local, or other non-public addresses to read response bodies from local development services, cloud metadata endpoints, admin panels, or other private HTTP services reachable from the victim host.\u003cbr\u003e"
}
],
"value": "OpenHarness before commit\u00a0bd4df81 contains a server-side request forgery vulnerability in the web_fetch and web_search tools that allows attackers to access private and localhost HTTP services by manipulating tool parameters without proper validation of target addresses. Attackers can influence an agent session to invoke these tools against loopback, RFC1918, link-local, or other non-public addresses to read response bodies from local development services, cloud metadata endpoints, admin panels, or other private HTTP services reachable from the victim host."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:H/SI:L/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-14T20:00:30.592Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/HKUDS/OpenHarness/pull/92"
},
{
"tags": [
"patch"
],
"url": "https://github.com/HKUDS/OpenHarness/commit/bd4df81f634f8c7cddcc3fdf7f561a13dcbf03ae"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/openharness-ssrf-via-web-fetch-and-web-search"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "OpenHarness SSRF via web_fetch and web_search",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2026-40516",
"datePublished": "2026-04-17T16:02:09.082Z",
"dateReserved": "2026-04-13T20:29:02.809Z",
"dateUpdated": "2026-07-14T20:00:30.592Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40500 (GCVE-0-2026-40500)
Vulnerability from cvelistv5 – Published: 2026-04-15 21:25 – Updated: 2026-07-09 22:59This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. The "Add Module from URL" feature requires superuser privileges (root-equivalent in ProcessWire) who already has unrestricted arbitrary code execution via standard module upload, making the SSRF vector incapable of providing incremental attack surface. The feature is also disabled by default and requires direct filesystem access to enable.
Show details on NVD website{
"containers": {
"cna": {
"providerMetadata": {
"dateUpdated": "2026-07-09T22:59:18.996Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"rejectedReasons": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThis CVE ID has been rejected or withdrawn by its CVE Numbering Authority. The \"Add Module from URL\" feature requires superuser privileges (root-equivalent in ProcessWire) who already has unrestricted arbitrary code execution via standard module upload, making the SSRF vector incapable of providing incremental attack surface. The feature is also disabled by default and requires direct filesystem access to enable.\u003c/p\u003e"
}
],
"value": "This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. The \"Add Module from URL\" feature requires superuser privileges (root-equivalent in ProcessWire) who already has unrestricted arbitrary code execution via standard module upload, making the SSRF vector incapable of providing incremental attack surface. The feature is also disabled by default and requires direct filesystem access to enable."
}
],
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2026-40500",
"datePublished": "2026-04-15T21:25:53.214Z",
"dateRejected": "2026-07-09T22:59:18.996Z",
"dateReserved": "2026-04-13T20:29:02.808Z",
"dateUpdated": "2026-07-09T22:59:18.996Z",
"state": "REJECTED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40348 (GCVE-0-2026-40348)
Vulnerability from cvelistv5 – Published: 2026-04-18 00:01 – Updated: 2026-04-20 16:11- CWE-918 - Server-Side Request Forgery (SSRF)
| URL | Tags |
|---|---|
| https://github.com/leepeuker/movary/security/advi… | x_refsource_CONFIRM |
| https://github.com/leepeuker/movary/pull/751 | x_refsource_MISC |
| https://github.com/leepeuker/movary/commit/d459b3… | x_refsource_MISC |
| https://github.com/leepeuker/movary/releases/tag/0.71.1 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40348",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-20T16:11:27.734379Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-20T16:11:32.779Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/leepeuker/movary/security/advisories/GHSA-2m2v-v563-qqvj"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "movary",
"vendor": "leepeuker",
"versions": [
{
"status": "affected",
"version": "\u003c 0.71.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Movary is a self hosted web app to track and rate a user\u0027s watched movies. Prior to version 0.71.1, an ordinary authenticated user can trigger server-side requests to arbitrary internal targets through `POST /settings/jellyfin/server-url-verify`. The endpoint accepts a user-controlled URL, appends `/system/info/public`, and sends a server-side HTTP request with Guzzle. Because there is no restriction on internal hosts, loopback addresses, or private network ranges, this can be abused for SSRF and internal network probing. Any ordinary authenticated user can use this endpoint to make the server connect to arbitrary internal targets and distinguish between different network states. This enables SSRF-based internal reconnaissance, including host discovery, port-state probing, and service fingerprinting. In certain deployments, it may also be usable to reach internal administrative services or cloud metadata endpoints that are not directly accessible from the outside. Version 0.71.1 fixes the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-18T00:01:09.725Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/leepeuker/movary/security/advisories/GHSA-2m2v-v563-qqvj",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/leepeuker/movary/security/advisories/GHSA-2m2v-v563-qqvj"
},
{
"name": "https://github.com/leepeuker/movary/pull/751",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/leepeuker/movary/pull/751"
},
{
"name": "https://github.com/leepeuker/movary/commit/d459b3513293d41254f7093aef07010a8e5dcf04",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/leepeuker/movary/commit/d459b3513293d41254f7093aef07010a8e5dcf04"
},
{
"name": "https://github.com/leepeuker/movary/releases/tag/0.71.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/leepeuker/movary/releases/tag/0.71.1"
}
],
"source": {
"advisory": "GHSA-2m2v-v563-qqvj",
"discovery": "UNKNOWN"
},
"title": "Movary has Authenticated SSRF via Jellyfin Server URL Verification that Allows Internal Network Probing"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-40348",
"datePublished": "2026-04-18T00:01:09.725Z",
"dateReserved": "2026-04-10T22:50:01.359Z",
"dateUpdated": "2026-04-20T16:11:32.779Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
No mitigation information available for this CWE.
CAPEC-664: Server Side Request Forgery
An adversary exploits improper input validation by submitting maliciously crafted input to a target application running on a server, with the goal of forcing the server to make a request either to itself, to web services running in the server’s internal network, or to external third parties. If successful, the adversary’s request will be made with the server’s privilege level, bypassing its authentication controls. This ultimately allows the adversary to access sensitive data, execute commands on the server’s network, and make external requests with the stolen identity of the server. Server Side Request Forgery attacks differ from Cross Site Request Forgery attacks in that they target the server itself, whereas CSRF attacks exploit an insecure user authentication mechanism to perform unauthorized actions on the user's behalf.