Common Weakness Enumeration

CWE-918

Allowed

Server-Side Request Forgery (SSRF)

Abstraction: Base · Status: Incomplete

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

4600 vulnerabilities reference this CWE, most recent first.

GHSA-WRX7-QGMJ-MF2Q

Vulnerability from github – Published: 2022-01-08 00:43 – Updated: 2022-01-07 23:16
VLAI
Summary
Server-Side Request Forgery in Apache Kylin
Details

All request mappings in StreamingCoordinatorController.java handling /kylin/api/streaming_coordinator/* REST API endpoints did not include any security checks, which allowed an unauthenticated user to issue arbitrary requests, such as assigning/unassigning of streaming cubes, creation/modification and deletion of replica sets, to the Kylin Coordinator. For endpoints accepting node details in HTTP message body, unauthenticated (but limited) server-side request forgery (SSRF) can be achieved. This issue affects Apache Kylin Apache Kylin 3 versions prior to 3.1.2.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.kylin:kylin"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.1.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-27738"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-01-07T23:16:38Z",
    "nvd_published_at": "2022-01-06T13:15:00Z",
    "severity": "MODERATE"
  },
  "details": "All request mappings in `StreamingCoordinatorController.java` handling `/kylin/api/streaming_coordinator/*` REST API endpoints did not include any security checks, which allowed an unauthenticated user to issue arbitrary requests, such as assigning/unassigning of streaming cubes, creation/modification and deletion of replica sets, to the Kylin Coordinator. For endpoints accepting node details in HTTP message body, unauthenticated (but limited) server-side request forgery (SSRF) can be achieved. This issue affects Apache Kylin Apache Kylin 3 versions prior to 3.1.2.",
  "id": "GHSA-wrx7-qgmj-mf2q",
  "modified": "2022-01-07T23:16:38Z",
  "published": "2022-01-08T00:43:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27738"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/kylin/pull/1646"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/kylin"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/vkohh0to2vzwymyb2x13fszs3cs3vd70"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2022/01/06/6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Server-Side Request Forgery in Apache Kylin"
}

GHSA-WV3H-5FX7-966H

Vulnerability from github – Published: 2026-04-04 06:10 – Updated: 2026-04-07 14:20
VLAI
Summary
Directus: SSRF Protection Bypass via IPv4-Mapped IPv6 Addresses in File Import
Details

Summary

A Server-Side Request Forgery (SSRF) protection bypass has been identified and fixed in Directus. The IP address validation mechanism used to block requests to local and private networks could be circumvented using IPv4-Mapped IPv6 address notation.

Details

Directus implements an IP deny-list to prevent server-side requests to internal/private network ranges. The validation logic failed to normalize IPv4-Mapped IPv6 addresses (e.g., the IPv6 representation of 127.0.0.1) before checking them against the deny-list. Because the deny-list check did not recognize these mapped addresses as equivalent to their IPv4 counterparts, an attacker could bypass the restriction while the underlying HTTP client and operating system still resolved and connected to the intended private target.

This has been fixed by adding a normalization step that converts IPv4-Mapped IPv6 addresses to their canonical IPv4 form prior to validation.

Impact

An authenticated user (or an unauthenticated user if public file-import permissions are enabled) could exploit this bypass to perform SSRF attacks against internal services on the same host (databases, caches, internal APIs) or cloud instance metadata endpoints (e.g., AWS/GCP/Azure IMDS).

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "directus"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "11.16.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-35409"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-04T06:10:53Z",
    "nvd_published_at": "2026-04-06T22:16:21Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nA Server-Side Request Forgery (SSRF) protection bypass has been identified and fixed in Directus. The IP address validation mechanism used to block requests to local and private networks could be circumvented using IPv4-Mapped IPv6 address notation.\n\n### Details\nDirectus implements an IP deny-list to prevent server-side requests to internal/private network ranges. The validation logic failed to normalize IPv4-Mapped IPv6 addresses (e.g., the IPv6 representation of `127.0.0.1`) before checking them against the deny-list. Because the deny-list check did not recognize these mapped addresses as equivalent to their IPv4 counterparts, an attacker could bypass the restriction while the underlying HTTP client and operating system still resolved and connected to the intended private target.\n\nThis has been fixed by adding a normalization step that converts IPv4-Mapped IPv6 addresses to their canonical IPv4 form prior to validation.\n\n### Impact\nAn authenticated user (or an unauthenticated user if public file-import permissions are enabled) could exploit this bypass to perform SSRF attacks against internal services on the same host (databases, caches, internal APIs) or cloud instance metadata endpoints (e.g., AWS/GCP/Azure IMDS).",
  "id": "GHSA-wv3h-5fx7-966h",
  "modified": "2026-04-07T14:20:08Z",
  "published": "2026-04-04T06:10:53Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/directus/directus/security/advisories/GHSA-wv3h-5fx7-966h"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35409"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/directus/directus"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Directus: SSRF Protection Bypass via IPv4-Mapped IPv6 Addresses in File Import"
}

GHSA-WV5J-J74P-FV28

Vulnerability from github – Published: 2022-05-24 19:06 – Updated: 2022-05-24 19:06
VLAI
Details

An issue was discovered in ProxyServlet.java in the /proxy servlet in Zimbra Collaboration Suite 8.8 before 8.8.15 Patch 23 and 9.x before 9.0.0 Patch 16. The value of the X-Host header overwrites the value of the Host header in proxied requests. The value of X-Host header is not checked against the whitelist of hosts Zimbra is allowed to proxy to (the zimbraProxyAllowedDomains setting).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-35209"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-601",
      "CWE-918"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-07-02T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in ProxyServlet.java in the /proxy servlet in Zimbra Collaboration Suite 8.8 before 8.8.15 Patch 23 and 9.x before 9.0.0 Patch 16. The value of the X-Host header overwrites the value of the Host header in proxied requests. The value of X-Host header is not checked against the whitelist of hosts Zimbra is allowed to proxy to (the zimbraProxyAllowedDomains setting).",
  "id": "GHSA-wv5j-j74p-fv28",
  "modified": "2022-05-24T19:06:48Z",
  "published": "2022-05-24T19:06:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-35209"
    },
    {
      "type": "WEB",
      "url": "https://blog.sonarsource.com/zimbra-webmail-compromise-via-email"
    },
    {
      "type": "WEB",
      "url": "https://wiki.zimbra.com/wiki/Security_Center"
    },
    {
      "type": "WEB",
      "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P23"
    },
    {
      "type": "WEB",
      "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P16"
    },
    {
      "type": "WEB",
      "url": "https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-WVFV-3QJH-QWXJ

Vulnerability from github – Published: 2026-06-11 18:31 – Updated: 2026-06-11 18:31
VLAI
Details

IBM Langflow Desktop 1.0.0 through 1.9.2 IBM Langflow is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-3341"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-11T16:16:22Z",
    "severity": "MODERATE"
  },
  "details": "IBM Langflow Desktop 1.0.0 through 1.9.2 IBM Langflow is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks.",
  "id": "GHSA-wvfv-3qjh-qwxj",
  "modified": "2026-06-11T18:31:34Z",
  "published": "2026-06-11T18:31:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3341"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7275444"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WVQF-QCWJ-MJXR

Vulnerability from github – Published: 2024-09-07 18:30 – Updated: 2024-09-07 18:30
VLAI
Details

A server side request forgery vulnerability allows a low-privileged user to perform local privilege escalation through exploiting an SSRF vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-40718"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-07T17:15:13Z",
    "severity": "HIGH"
  },
  "details": "A server side request forgery vulnerability allows a low-privileged user to perform local privilege escalation through exploiting an SSRF vulnerability.",
  "id": "GHSA-wvqf-qcwj-mjxr",
  "modified": "2024-09-07T18:30:24Z",
  "published": "2024-09-07T18:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40718"
    },
    {
      "type": "WEB",
      "url": "https://www.veeam.com/kb4649"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WVWC-5CJJ-52F5

Vulnerability from github – Published: 2025-12-16 18:31 – Updated: 2025-12-16 18:31
VLAI
Details

PodcastGenerator 3.2.9 contains a blind server-side request forgery vulnerability that allows attackers to inject XML in the episode upload form. Attackers can manipulate the 'shortdesc' parameter to trigger external HTTP requests to arbitrary endpoints during podcast episode creation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-53899"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-16T17:16:02Z",
    "severity": "LOW"
  },
  "details": "PodcastGenerator 3.2.9 contains a blind server-side request forgery vulnerability that allows attackers to inject XML in the episode upload form. Attackers can manipulate the \u0027shortdesc\u0027 parameter to trigger external HTTP requests to arbitrary endpoints during podcast episode creation.",
  "id": "GHSA-wvwc-5cjj-52f5",
  "modified": "2025-12-16T18:31:34Z",
  "published": "2025-12-16T18:31:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53899"
    },
    {
      "type": "WEB",
      "url": "https://github.com/PodcastGenerator/PodcastGenerator"
    },
    {
      "type": "WEB",
      "url": "https://podcastgenerator.net"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/51565"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/podcastgenerator-blind-server-side-request-forgery-via-xml-injection"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-WW52-R3FC-HC5V

Vulnerability from github – Published: 2023-03-04 00:30 – Updated: 2023-03-10 15:30
VLAI
Details

Report v0.9.8.6 was discovered to contain a Server-Side Request Forgery (SSRF) vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-46973"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-03-03T22:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Report v0.9.8.6 was discovered to contain a Server-Side Request Forgery (SSRF) vulnerability.",
  "id": "GHSA-ww52-r3fc-hc5v",
  "modified": "2023-03-10T15:30:42Z",
  "published": "2023-03-04T00:30:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46973"
    },
    {
      "type": "WEB",
      "url": "https://github.com/anji-plus/report/issues/15"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Fw-fW-fw/UPDATE-CVE/blob/main/CVE-2022-46973"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WW95-R66Q-V2HH

Vulnerability from github – Published: 2026-02-19 15:30 – Updated: 2026-02-23 15:31
VLAI
Details

SoftVision webPDF before 10.0.2 is vulnerable to Server-Side Request Forgery (SSRF). The PDF converter function does not check if internal or external resources are requested in the uploaded files and allows for protocols such as http:// and file:///. This allows an attacker to upload an XML or HTML file in the application, which when rendered to a PDF allows for internal port scanning and Local File Inclusion (LFI).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-55853"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-19T15:16:11Z",
    "severity": "CRITICAL"
  },
  "details": "SoftVision webPDF before 10.0.2 is vulnerable to Server-Side Request Forgery (SSRF). The PDF converter function does not check if internal or external resources are requested in the uploaded files and allows for protocols such as http:// and file:///. This allows an attacker to upload an XML or HTML file in the application, which when rendered to a PDF allows for internal port scanning and Local File Inclusion (LFI).",
  "id": "GHSA-ww95-r66q-v2hh",
  "modified": "2026-02-23T15:31:14Z",
  "published": "2026-02-19T15:30:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55853"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Vivz13/CVE-2025-55853/tree/main"
    },
    {
      "type": "WEB",
      "url": "https://www.webpdf.de"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WWCH-WQ4R-QH4W

Vulnerability from github – Published: 2025-12-31 18:30 – Updated: 2026-04-01 18:36
VLAI
Details

Server-Side Request Forgery (SSRF) vulnerability in Jthemes Genemy allows Server Side Request Forgery.This issue affects Genemy: from n/a through 1.6.6.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-59138"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-31T17:15:44Z",
    "severity": "MODERATE"
  },
  "details": "Server-Side Request Forgery (SSRF) vulnerability in Jthemes Genemy allows Server Side Request Forgery.This issue affects Genemy: from n/a through 1.6.6.",
  "id": "GHSA-wwch-wq4r-qh4w",
  "modified": "2026-04-01T18:36:29Z",
  "published": "2025-12-31T18:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59138"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/theme/genemy/vulnerability/wordpress-genemy-theme-1-6-6-server-side-request-forgery-ssrf-vulnerability?_s_id=cve"
    },
    {
      "type": "WEB",
      "url": "https://vdp.patchstack.com/database/wordpress/theme/genemy/vulnerability/wordpress-genemy-theme-1-6-6-server-side-request-forgery-ssrf-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WWJM-C5Q6-9GFH

Vulnerability from github – Published: 2021-12-01 00:00 – Updated: 2022-04-28 00:01
VLAI
Details

Zoho ManageEngine SupportCenter Plus before 11016 is vulnerable to an SSRF attack in ActionExecutor.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-43296"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-11-30T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "Zoho ManageEngine SupportCenter Plus before 11016 is vulnerable to an SSRF attack in ActionExecutor.",
  "id": "GHSA-wwjm-c5q6-9gfh",
  "modified": "2022-04-28T00:01:24Z",
  "published": "2021-12-01T00:00:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43296"
    },
    {
      "type": "WEB",
      "url": "https://manageengine.com"
    },
    {
      "type": "WEB",
      "url": "https://www.manageengine.com/products/support-center/readme.html#11016"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

CAPEC-664: Server Side Request Forgery

An adversary exploits improper input validation by submitting maliciously crafted input to a target application running on a server, with the goal of forcing the server to make a request either to itself, to web services running in the server’s internal network, or to external third parties. If successful, the adversary’s request will be made with the server’s privilege level, bypassing its authentication controls. This ultimately allows the adversary to access sensitive data, execute commands on the server’s network, and make external requests with the stolen identity of the server. Server Side Request Forgery attacks differ from Cross Site Request Forgery attacks in that they target the server itself, whereas CSRF attacks exploit an insecure user authentication mechanism to perform unauthorized actions on the user's behalf.