Total
1531 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-47464 | 2025-05-08 | N/A | 4.9 MEDIUM | ||
| Server-Side Request Forgery (SSRF) vulnerability in solacewp Solace Extra allows Server Side Request Forgery. This issue affects Solace Extra: from n/a through 1.3.1. | |||||
| CVE-2025-47484 | 2025-05-08 | N/A | 6.4 MEDIUM | ||
| Server-Side Request Forgery (SSRF) vulnerability in Oliver Campion Display Remote Posts Block allows Server Side Request Forgery. This issue affects Display Remote Posts Block: from n/a through 1.1.0. | |||||
| CVE-2025-47483 | 2025-05-08 | N/A | 4.9 MEDIUM | ||
| Server-Side Request Forgery (SSRF) vulnerability in Iulia Cazan Easy Replace Image allows Server Side Request Forgery. This issue affects Easy Replace Image: from n/a through 3.5.0. | |||||
| CVE-2025-47664 | 2025-05-08 | N/A | 4.4 MEDIUM | ||
| Server-Side Request Forgery (SSRF) vulnerability in ThimPress WP Pipes allows Server Side Request Forgery. This issue affects WP Pipes: from n/a through 1.4.2. | |||||
| CVE-2020-17386 | 1 Cellopoint | 1 Cellos | 2025-05-08 | 4.0 MEDIUM | 6.5 MEDIUM |
| Cellopoint CelloOS v4.1.10 Build 20190922 does not validate URL inputted properly. With cookie of an authenticated user, attackers can temper with the URL parameter and access arbitrary file on system. | |||||
| CVE-2022-36451 | 1 Mitel | 1 Micollab | 2025-05-07 | N/A | 8.8 HIGH |
| A vulnerability in the MiCollab Client server component of Mitel MiCollab through 9.5.0.101 could allow an authenticated attacker to conduct a Server-Side Request Forgery (SSRF) attack due to insufficient restriction of URL parameters. A successful exploit could allow an attacker to leverage connections and permissions available to the host server. | |||||
| CVE-2022-38580 | 1 Zalando | 1 Skipper | 2025-05-07 | N/A | 9.8 CRITICAL |
| Zalando Skipper v0.13.236 is vulnerable to Server-Side Request Forgery (SSRF). | |||||
| CVE-2022-43776 | 1 Metabase | 1 Metabase | 2025-05-07 | N/A | 6.5 MEDIUM |
| The url parameter of the /api/geojson endpoint in Metabase versions <44.5 can be used to perform Server Side Request Forgery attacks. Previously implemented blacklists could be circumvented by leveraging 301 and 302 redirects. | |||||
| CVE-2025-45250 | 2025-05-07 | N/A | 5.5 MEDIUM | ||
| MrDoc v0.95 and before is vulnerable to Server-Side Request Forgery (SSRF) in the validate_url function of the app_doc/utils.py file. | |||||
| CVE-2022-40296 | 1 Phppointofsale | 1 Php Point Of Sale | 2025-05-06 | N/A | 9.8 CRITICAL |
| The application was vulnerable to a Server-Side Request Forgery attacks, allowing the backend server to interact with unexpected endpoints, potentially including internal and local services, leading to attacks in other downstream systems. | |||||
| CVE-2024-1812 | 1 Wpeverest | 1 Everest Forms | 2025-05-06 | N/A | 7.2 HIGH |
| The Everest Forms plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.0.7 via the 'font_url' parameter. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. | |||||
| CVE-2023-36661 | 2 Debian, Shibboleth | 2 Debian Linux, Xmltooling | 2025-05-05 | N/A | 7.5 HIGH |
| Shibboleth XMLTooling before 3.2.4, as used in OpenSAML and Shibboleth Service Provider, allows SSRF via a crafted KeyInfo element. (This is fixed in, for example, Shibboleth Service Provider 3.4.1.3 on Windows.) | |||||
| CVE-2022-3708 | 1 Google | 1 Web Stories | 2025-05-05 | N/A | 9.6 CRITICAL |
| The Web Stories plugin for WordPress is vulnerable to Server-Side Request Forgery in versions up to, and including 1.24.0 due to insufficient validation of URLs supplied via the 'url' parameter found via the /v1/hotlink/proxy REST API Endpoint. This makes it possible for authenticated users to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. | |||||
| CVE-2024-48907 | 2025-05-02 | N/A | 7.5 HIGH | ||
| Sematell ReplyOne 7.4.3.0 allows SSRF via the application server API. | |||||
| CVE-2025-46568 | 2025-05-02 | N/A | N/A | ||
| Stirling-PDF is a locally hosted web application that allows you to perform various operations on PDF files. Prior to version 0.45.0, Stirling-PDF is vulnerable to SSRF-induced arbitrary file read. WeasyPrint redefines a set of HTML tags, including img, embed, object, and others. The references to several files inside, allow the attachment of content from any webpage or local file to a PDF. This allows the attacker to read any file on the server, including sensitive files and configuration files. All users utilizing this feature will be affected. This issue has been patched in version 0.45.0. | |||||
| CVE-2024-55910 | 2025-05-02 | N/A | 6.5 MEDIUM | ||
| IBM Concert Software 1.0.0 through 1.0.5 is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. | |||||
| CVE-2021-37498 | 1 Reprisesoftware | 1 Reprise License Manager | 2025-04-30 | N/A | 6.5 MEDIUM |
| An SSRF issue was discovered in Reprise License Manager (RLM) web interface through 14.2BL4 that allows remote attackers to trigger outbound requests to intranet servers, conduct port scans via the actserver parameter in License Activation function. | |||||
| CVE-2024-48951 | 1 Logpoint | 1 Siem | 2025-04-30 | N/A | 7.5 HIGH |
| An issue was discovered in Logpoint before 7.5.0. Server-Side Request Forgery (SSRF) on SOAR can be used to leak Logpoint's API Token leading to authentication bypass. | |||||
| CVE-2025-31117 | 1 Open-emr | 1 Openemr | 2025-04-30 | N/A | 7.5 HIGH |
| OpenEMR is a free and open source electronic health records and medical practice management application. An Out-of-Band Server-Side Request Forgery (OOB SSRF) vulnerability was identified in OpenEMR, allowing an attacker to force the server to make unauthorized requests to external or internal resources. this attack does not return a direct response but can be exploited through DNS or HTTP interactions to exfiltrate sensitive information. This vulnerability is fixed in 7.0.3.1. | |||||
| CVE-2022-42894 | 1 Siemens | 1 Syngo Dynamics Cardiovascular Imaging And Information System | 2025-04-30 | N/A | 7.5 HIGH |
| A vulnerability has been identified in syngo Dynamics (All versions < VA40G HF01). An unauthenticated Server-Side Request Forgery (SSRF) vulnerability was identified in one of the web services exposed on the syngo Dynamics application that could allow for the leaking of NTLM credentials as well as local service enumeration. | |||||