Vulnerabilities (CVE)

Filtered by CWE-918
Total 1553 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2025-29453 1 Personal-management-system 1 Personal Management System 2025-04-22 N/A 6.5 MEDIUM
An issue in personal-management-system Personal Management System 1.4.65 allows a remote attacker to obtain sensitive information via the my-contacts-settings component.
CVE-2025-29454 1 Personal-management-system 1 Personal Management System 2025-04-22 N/A 6.5 MEDIUM
An issue in personal-management-system Personal Management System 1.4.65 allows a remote attacker to obtain sensitive information via the Upload function.
CVE-2025-29455 1 Personal-management-system 1 Personal Management System 2025-04-22 N/A 6.5 MEDIUM
An issue in personal-management-system Personal Management System 1.4.65 allows a remote attacker to obtain sensitive information via the Travel Ideas" function.
CVE-2025-29456 1 Personal-management-system 1 Personal Management System 2025-04-22 N/A 6.5 MEDIUM
An issue in personal-management-system Personal Management System 1.4.65 allows a remote attacker to obtain sensitive information via the create Notes function.
CVE-2022-29309 1 Wangl1989 1 Mysiteforme 2025-04-22 5.0 MEDIUM 7.5 HIGH
mysiteforme v2.2.1 was discovered to contain a Server-Side Request Forgery.
CVE-2025-28197 2025-04-22 N/A 9.1 CRITICAL
Crawl4AI <=0.4.247 is vulnerable to SSRF in /crawl4ai/async_dispatcher.py.
CVE-2022-46364 1 Apache 1 Cxf 2025-04-22 N/A 9.8 CRITICAL
A SSRF vulnerability in parsing the href attribute of XOP:Include in MTOM requests in versions of Apache CXF before 3.5.5 and 3.4.10 allows an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type. 
CVE-2025-32102 2025-04-21 N/A 5.0 MEDIUM
CrushFTP 9.x and 10.x through 10.8.4 and 11.x through 11.3.1 allows SSRF via the host and port parameters in a command=telnetSocket request to the /WebInterface/function/ URI.
CVE-2016-7051 1 Fasterxml 1 Jackson-dataformat-xml 2025-04-20 5.0 MEDIUM 8.6 HIGH
XmlMapper in the Jackson XML dataformat component (aka jackson-dataformat-xml) before 2.7.8 and 2.8.x before 2.8.4 allows remote attackers to conduct server-side request forgery (SSRF) attacks via vectors related to a DTD.
CVE-2017-12071 1 Synology 1 Photo Station 2025-04-20 4.0 MEDIUM 6.5 MEDIUM
Server-side request forgery (SSRF) vulnerability in file_upload.php in Synology Photo Station before 6.7.4-3433 and 6.3-2968 allows remote authenticated users to download arbitrary local files via the url parameter.
CVE-2017-16870 1 Updraftplus 1 Updraftplus 2025-04-20 6.8 MEDIUM 8.1 HIGH
The UpdraftPlus plugin through 1.13.12 for WordPress has SSRF in the updraft_ajax_handler function in /wp-content/plugins/updraftplus/admin.php via an httpget subaction. NOTE: the vendor reports that this does not cross a privilege boundary
CVE-2017-6036 1 Belden Hirschmann 2 Gecko Lite Managed Switch, Gecko Lite Managed Switch Firmware 2025-04-20 4.3 MEDIUM 6.5 MEDIUM
A Server-Side Request Forgery issue was discovered in Belden Hirschmann GECKO Lite Managed switch, Version 2.0.00 and prior versions. The web server receives a request, but does not sufficiently verify that the request is being sent to the expected destination.
CVE-2017-9506 1 Atlassian 1 Oauth 2025-04-20 4.3 MEDIUM 6.1 MEDIUM
The IconUriServlet of the Atlassian OAuth Plugin from version 1.3.0 before version 1.9.12 and from version 2.0.0 before version 2.0.4 allows remote attackers to access the content of internal network resources and/or perform an XSS attack via Server Side Request Forgery (SSRF).
CVE-2017-7569 1 Vbulletin 1 Vbulletin 2025-04-20 5.0 MEDIUM 8.6 HIGH
In vBulletin before 5.3.0, remote attackers can bypass the CVE-2016-6483 patch and conduct SSRF attacks by leveraging the behavior of the PHP parse_url function, aka VBV-17037.
CVE-2017-1000017 1 Phpmyadmin 1 Phpmyadmin 2025-04-20 6.5 MEDIUM 8.8 HIGH
phpMyAdmin 4.0, 4.4 and 4.6 are vulnerable to a weakness where a user with appropriate permissions is able to connect to an arbitrary MySQL server
CVE-2017-0889 1 Thoughtbot 1 Paperclip 2025-04-20 7.5 HIGH 9.8 CRITICAL
Paperclip ruby gem version 3.1.4 and later suffers from a Server-SIde Request Forgery (SSRF) vulnerability in the Paperclip::UriAdapter class. Attackers may be able to access information about internal network resources.
CVE-2017-1000237 1 I-librarian 1 I Librarian 2025-04-20 7.5 HIGH 9.8 CRITICAL
I, Librarian version <=4.6 & 4.7 is vulnerable to Server-Side Request Forgery in the ajaxsupplement.php resulting in the attacker being able to reset any user's password.
CVE-2017-8794 1 Accellion 1 File Transfer Appliance 2025-04-20 6.4 MEDIUM 10.0 CRITICAL
An issue was discovered on Accellion FTA devices before FTA_9_12_180. Because a regular expression (intended to match local https URLs) lacks an initial ^ character, courier/web/1000@/wmProgressval.html allows SSRF attacks with a file:///etc/passwd#https:// URL pattern.
CVE-2016-7999 1 Spip 1 Spip 2025-04-20 4.3 MEDIUM 7.4 HIGH
ecrire/exec/valider_xml.php in SPIP 3.1.2 and earlier allows remote attackers to conduct server side request forgery (SSRF) attacks via a URL in the var_url parameter in a valider_xml action.
CVE-2017-4928 1 Vmware 1 Vcenter Server 2025-04-20 5.0 MEDIUM 7.5 HIGH
The flash-based vSphere Web Client (6.0 prior to 6.0 U3c and 5.5 prior to 5.5 U3f) i.e. not the new HTML5-based vSphere Client, contains SSRF and CRLF injection issues due to improper neutralization of URLs. An attacker may exploit these issues by sending a POST request with modified headers towards internal services leading to information disclosure.