Total
1819 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-10524 | 2025-03-21 | N/A | 6.5 MEDIUM | ||
| Applications that use Wget to access a remote resource using shorthand URLs and pass arbitrary user credentials in the URL are vulnerable. In these cases attackers can enter crafted credentials which will cause Wget to access an arbitrary host. | |||||
| CVE-2024-27564 | 1 Dirk1983 | 1 Chatgpt | 2025-03-20 | N/A | 5.8 MEDIUM |
| pictureproxy.php in the dirk1983 mm1.ltd source code f9f4bbc allows SSRF via the url parameter. NOTE: the references section has an archived copy of pictureproxy.php from its original GitHub location, but the repository name might later change because it is misleading. | |||||
| CVE-2024-8099 | 2025-03-20 | N/A | 8.3 HIGH | ||
| A Server-Side Request Forgery (SSRF) vulnerability exists in the latest version of vanna-ai/vanna when using DuckDB as the database. An attacker can exploit this vulnerability by submitting crafted SQL queries that leverage DuckDB's default features, such as `read_csv`, `read_csv_auto`, `read_text`, and `read_blob`, to make unauthorized requests to internal or external resources. This can lead to unauthorized access to sensitive data, internal systems, and potentially further attacks. | |||||
| CVE-2024-10457 | 2025-03-20 | N/A | 6.5 MEDIUM | ||
| Multiple Server-Side Request Forgery (SSRF) vulnerabilities were identified in the significant-gravitas/autogpt repository, specifically in the GitHub Integration and Web Search blocks. These vulnerabilities affect version agpt-platform-beta-v0.1.1. The issues arise when block inputs are controlled by untrusted sources, leading to potential credential leakage, internal network scanning, and unauthorized access to internal services, APIs, or data stores. The affected blocks include GithubListPullRequestsBlock, GithubReadPullRequestBlock, GithubAssignPRReviewerBlock, GithubListPRReviewersBlock, GithubUnassignPRReviewerBlock, GithubCommentBlock, GithubMakeIssueBlock, GithubReadIssueBlock, GithubListIssuesBlock, GithubAddLabelBlock, GithubRemoveLabelBlock, GithubListBranchesBlock, and ExtractWebsiteContentBlock. | |||||
| CVE-2024-32812 | 1 Podlove | 1 Podlove Podcast Publisher | 2025-03-19 | N/A | 5.4 MEDIUM |
| Server-Side Request Forgery (SSRF) vulnerability in Podlove Podlove Podcast Publisher.This issue affects Podlove Podcast Publisher: from n/a through 4.0.11. | |||||
| CVE-2021-33926 | 1 Plone | 1 Plone | 2025-03-19 | N/A | 8.8 HIGH |
| An issue in Plone CMS v. 5.2.4, 5.2.3, 5.2.2, 5.2.1, 5.2.0, 5.1rc2, 5.1rc1, 5.1b4, 5.1b3, 5.1b2, 5.1a2, 5.1a1, 5.1.7, 5.1.6, 5.1.5, 5.1.4, 5.1.2, 5.1.1 5.1, 5.0rc3, 5.0rc2, 5.0rc1, 5.0.9, 5.0.8, 5.0.7, 5.0.6, 5.0.5, 5.0.4, 5.0.3, 5.0.2, 5.0.10, 5.0.1, 5.0, 4.3.9, 4.3.8, 4.3.7, 4.3.6, 4.3.5, 4.3.4, 4.3.3, 4.3.20, 4 allows attacker to access sensitive information via the RSS feed protlet. | |||||
| CVE-2024-23788 | 1 Sharp | 4 Jh-rv11, Jh-rv11 Firmware, Jh-rvb1 and 1 more | 2025-03-19 | N/A | 8.1 HIGH |
| Server-side request forgery vulnerability in Energy Management Controller with Cloud Services JH-RVB1 /JH-RV11 Ver.B0.1.9.1 and earlier allows a network-adjacent unauthenticated attacker to send an arbitrary HTTP request (GET) from the affected product. | |||||
| CVE-2024-47222 | 1 Myoffice | 1 My Office Sdk | 2025-03-18 | N/A | 9.8 CRITICAL |
| New Cloud MyOffice SDK Collaborative Editing Server 2.2.2 through 2.8 allows SSRF via manipulation of requests from external document storage via the MS-WOPI protocol. | |||||
| CVE-2024-47049 | 1 Czim | 1 File-handling | 2025-03-18 | N/A | 8.2 HIGH |
| The czim/file-handling package before 1.5.0 and 2.x before 2.3.0 (used with PHP Composer) does not properly validate URLs within makeFromUrl and makeFromAny, leading to SSRF, and to directory traversal for the reading of local files. | |||||
| CVE-2022-35583 | 1 Wkhtmltopdf | 1 Wkhtmltopdf | 2025-03-18 | N/A | 9.8 CRITICAL |
| wkhtmlTOpdf 0.12.6 is vulnerable to SSRF which allows an attacker to get initial access into the target's system by injecting iframe tag with initial asset IP address on it's source. This allows the attacker to takeover the whole infrastructure by accessing their internal assets. | |||||
| CVE-2022-37938 | 1 Hpe | 1 Serviceguard For Linux | 2025-03-17 | N/A | 9.8 CRITICAL |
| Unauthenticated server side request forgery in HPE Serviceguard Manager | |||||
| CVE-2025-1211 | 2025-03-16 | N/A | 6.5 MEDIUM | ||
| Versions of the package hackney before 1.21.0 are vulnerable to Server-side Request Forgery (SSRF) due to improper parsing of URLs by URI built-in module and hackey. Given the URL http://127.0.0.1?@127.2.2.2/, the URI function will parse and see the host as 127.0.0.1 (which is correct), and hackney will refer the host as 127.2.2.2/. This vulnerability can be exploited when users rely on the URL function for host checking. | |||||
| CVE-2024-13904 | 1 Platformly | 1 Platform.ly For Woocommerce | 2025-03-13 | N/A | 5.3 MEDIUM |
| The Platform.ly for WooCommerce plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in all versions up to, and including, 1.1.6 via the 'hooks' function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. | |||||
| CVE-2024-25864 | 2025-03-13 | N/A | 9.1 CRITICAL | ||
| Server Side Request Forgery (SSRF) vulnerability in Friendica versions after v.2023.12, allows a remote attacker to execute arbitrary code and obtain sensitive information via the fpostit.php component. | |||||
| CVE-2024-36448 | 1 Apache | 1 Iotdb Workbench | 2025-03-13 | N/A | 7.3 HIGH |
| ** UNSUPPORTED WHEN ASSIGNED ** Server-Side Request Forgery (SSRF) vulnerability in Apache IoTDB Workbench. This issue affects Apache IoTDB Workbench: from 0.13.0. As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2024-13905 | 1 Sainwp | 1 Onestore Sites | 2025-03-12 | N/A | 5.3 MEDIUM |
| The OneStore Sites plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 0.1.1 via the class-export.php file. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. | |||||
| CVE-2024-13924 | 1 Fancywp | 1 Starter Templates | 2025-03-12 | N/A | 5.3 MEDIUM |
| The Starter Templates by FancyWP plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in all versions up to, and including, 2.0.0 via the 'http_request_host_is_external' filter. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. | |||||
| CVE-2022-4492 | 1 Redhat | 10 Build Of Quarkus, Integration Camel For Spring Boot, Integration Camel K and 7 more | 2025-03-12 | N/A | 7.5 HIGH |
| The undertow client is not checking the server identity presented by the server certificate in https connections. This is a compulsory step (at least it should be performed by default) in https and in http/2. I would add it to any TLS client protocol. | |||||
| CVE-2024-13907 | 1 Boldgrid | 1 Total Upkeep | 2025-03-11 | N/A | 4.9 MEDIUM |
| The Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.16.8 via the 'download' function. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. | |||||
| CVE-2025-2192 | 2025-03-11 | 4.3 MEDIUM | 4.3 MEDIUM | ||
| A vulnerability, which was classified as problematic, was found in Stoque Zeev.it 4.24. This affects an unknown part of the file /Login?inpLostSession=1 of the component Login Page. The manipulation of the argument inpRedirectURL leads to server-side request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||