Total
1521 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-31117 | 2025-04-01 | N/A | N/A | ||
| OpenEMR is a free and open source electronic health records and medical practice management application. An Out-of-Band Server-Side Request Forgery (OOB SSRF) vulnerability was identified in OpenEMR, allowing an attacker to force the server to make unauthorized requests to external or internal resources. this attack does not return a direct response but can be exploited through DNS or HTTP interactions to exfiltrate sensitive information. This vulnerability is fixed in 7.0.3.1. | |||||
| CVE-2025-31116 | 2025-04-01 | N/A | 4.4 MEDIUM | ||
| Mobile Security Framework (MobSF) is a pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. The mitigation for CVE-2024-29190 in valid_host() uses socket.gethostbyname(), which is vulnerable to SSRF abuse using DNS rebinding technique. This vulnerability is fixed in 4.3.2. | |||||
| CVE-2025-31796 | 2025-04-01 | N/A | 5.4 MEDIUM | ||
| Server-Side Request Forgery (SSRF) vulnerability in TheInnovs Team ElementsCSS Addons for Elementor allows Server Side Request Forgery. This issue affects ElementsCSS Addons for Elementor: from n/a through 1.0.8.7. | |||||
| CVE-2024-48590 | 1 Inflectra | 1 Spirateam | 2025-04-01 | N/A | 9.8 CRITICAL |
| Inflectra SpiraTeam 7.2.00 is vulnerable to Server-Side Request Forgery (SSRF) via the NewsReaderService. This allows an attacker to escalate privileges and obtain sensitive information. | |||||
| CVE-2024-0677 | 1 Popozure | 1 Pz-linkcard | 2025-04-01 | N/A | 5.1 MEDIUM |
| The Pz-LinkCard WordPress plugin through 2.5.1 does not prevent users from pinging arbitrary hosts via some of its shortcodes, which could allow high privilege users such as contributors to perform SSRF attacks. | |||||
| CVE-2022-46998 | 1 Taogogo | 1 Taocms | 2025-04-01 | N/A | 9.8 CRITICAL |
| An issue in the website background of taocms v3.0.2 allows attackers to execute a Server-Side Request Forgery (SSRF). | |||||
| CVE-2024-48944 | 1 Apache | 1 Kylin | 2025-04-01 | N/A | 6.5 MEDIUM |
| Server-Side Request Forgery (SSRF) vulnerability in Apache Kylin. Through a kylin server, an attacker may forge a request to invoke "/kylin/api/xxx/diag" api on another internal host and possibly get leaked information. There are two preconditions: 1) The attacker has got admin access to a kylin server; 2) Another internal host has the "/kylin/api/xxx/diag" api endpoint open for service. This issue affects Apache Kylin: from 5.0.0 through 5.0.1. Users are recommended to upgrade to version 5.0.2, which fixes the issue. | |||||
| CVE-2025-2835 | 1 Zhyd | 1 Oneblog | 2025-04-01 | 4.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability was found in zhangyd-c OneBlog up to 2.3.9. It has been declared as problematic. Affected by this vulnerability is the function autoLink of the file com/zyd/blog/controller/RestApiController.java. The manipulation leads to server-side request forgery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2024-28668 | 1 Dedecms | 1 Dedecms | 2025-04-01 | N/A | 6.1 MEDIUM |
| DedeCMS v5.7 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via the component /dede/mychannel_add.php | |||||
| CVE-2024-44677 | 1 Eladmin | 1 Eladmin | 2025-03-31 | N/A | 9.8 CRITICAL |
| eladmin v2.7 and before is vulnerable to Server-Side Request Forgery (SSRF) which allows an attacker to execute arbitrary code via the DatabaseController.java component. | |||||
| CVE-2023-45705 | 1 Hcltech | 1 Bigfix Platform | 2025-03-28 | N/A | 3.5 LOW |
| An administrative user of WebReports may perform a Server Side Request Forgery (SSRF) exploit through SMTP configuration options. | |||||
| CVE-2025-31076 | 2025-03-28 | N/A | 4.9 MEDIUM | ||
| Server-Side Request Forgery (SSRF) vulnerability in WP Compress WP Compress for MainWP allows Server Side Request Forgery. This issue affects WP Compress for MainWP: from n/a through 6.30.03. | |||||
| CVE-2024-44721 | 1 Seacms | 1 Seacms | 2025-03-28 | N/A | 9.8 CRITICAL |
| SeaCMS v13.1 was discovered to a Server-Side Request Forgery (SSRF) via the url parameter at /admin_reslib.php. | |||||
| CVE-2021-21973 | 1 Vmware | 2 Cloud Foundation, Vcenter Server | 2025-03-28 | 5.0 MEDIUM | 5.3 MEDIUM |
| The vSphere Client (HTML5) contains an SSRF (Server Side Request Forgery) vulnerability due to improper validation of URLs in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue by sending a POST request to vCenter Server plugin leading to information disclosure. This affects: VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2). | |||||
| CVE-2023-24623 | 1 Paranoidhttp Project | 1 Paranoidhttp | 2025-03-28 | N/A | 7.5 HIGH |
| Paranoidhttp before 0.3.0 allows SSRF because [::] is equivalent to the 127.0.0.1 address, but does not match the filter for private addresses. | |||||
| CVE-2023-24622 | 1 Includesecurity | 1 Safeurl-python | 2025-03-28 | N/A | 5.3 MEDIUM |
| isInList in the safeurl-python package before 1.2 for Python has an insufficiently restrictive regular expression for external domains, leading to SSRF. | |||||
| CVE-2022-4335 | 1 Gitlab | 1 Gitlab | 2025-03-28 | N/A | 4.3 MEDIUM |
| A blind SSRF vulnerability was identified in all versions of GitLab EE prior to 15.4.6, 15.5 prior to 15.5.5, and 15.6 prior to 15.6.1 which allows an attacker to connect to a local host. | |||||
| CVE-2022-4201 | 1 Gitlab | 1 Gitlab | 2025-03-27 | N/A | 3.5 LOW |
| A blind SSRF in GitLab CE/EE affecting all from 11.3 prior to 15.4.6, 15.5 prior to 15.5.5, and 15.6 prior to 15.6.1 allows an attacker to connect to local addresses when configuring a malicious GitLab Runner. | |||||
| CVE-2023-24495 | 1 Tenable | 1 Tenable.sc | 2025-03-27 | N/A | 6.5 MEDIUM |
| A Server Side Request Forgery (SSRF) vulnerability exists in Tenable.sc due to improper validation of session & user-accessible input data. A privileged, authenticated remote attacker could interact with external and internal services covertly. | |||||
| CVE-2023-24060 | 1 Havenweb | 1 Haven | 2025-03-27 | N/A | 5.0 MEDIUM |
| Haven 5d15944 allows Server-Side Request Forgery (SSRF) via the feed[url]= Feeds functionality. Authenticated users with the ability to create new RSS Feeds or add RSS Feeds can supply an arbitrary hostname (or even the hostname of the Haven server itself). NOTE: this product has significant usage but does not have numbered releases; ordinary end users may typically use the master branch. | |||||