CWE-918: Server-Side Request Forgery (SSRF)
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Yearly Trend
Top Affected Vendors
All Server-Side Request Forgery (SSRF) CVEs (830)
This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in SICK industrial automation products. An attacker can exploit an endpoint to m...
Jun 12, 2025This CVE describes a server-side request forgery (SSRF) vulnerability in Fortinet FortiClientEMS that allows authenticated attackers to make internal ...
Jun 10, 2025This Server-Side Request Forgery (SSRF) vulnerability in Stoque Zeev.it allows attackers to manipulate the inpRedirectURL parameter on the login page ...
Mar 11, 2025This vulnerability allows attackers to perform server-side request forgery (SSRF) attacks against Beijing Founder Electronics Founder Enjoys All-Media...
Mar 9, 2025A server-side request forgery (SSRF) vulnerability in Kibana's Fleet API allows authenticated users with read access to send requests to internal HTTP...
Jan 23, 2025Gomatrixserverlib, a Go library for Matrix federation, is vulnerable to server-side request forgery (SSRF) that allows attackers to make the server ac...
Jan 16, 2025This CVE-2025-0480 vulnerability in wuzhicms 4.1.0 allows attackers to perform server-side request forgery (SSRF) by manipulating sphinxhost/sphinxpor...
Jan 15, 2025VMware Aria Automation contains a server-side request forgery (SSRF) vulnerability that allows authenticated users with 'Organization Member' access t...
Jan 8, 2025This SSRF vulnerability in the WordPress Photo Gallery Slideshow & Masonry Tiled Gallery plugin allows authenticated users (even with low-privilege Su...
Jan 3, 2025This vulnerability allows attackers to perform server-side request forgery (SSRF) attacks against Antabot White-Jotter systems. Attackers can manipula...
Dec 30, 2024This vulnerability in Combodo iTop allows low-privileged users to make HTTP requests on behalf of the server, potentially leading to server-side reque...
Nov 5, 2024GLPI administrators can exploit a Server-Side Request Forgery (SSRF) vulnerability through the Webhook feature, allowing them to make unauthorized req...
Feb 4, 2026Rhymix CMS version 2.1.19 contains a Server-Side Request Forgery (SSRF) vulnerability in its background import data function. This allows authenticate...
Dec 18, 2024The Block For Mailchimp WordPress plugin has a blind SSRF vulnerability that allows unauthenticated attackers to make arbitrary web requests from the ...
Oct 1, 2025This vulnerability allows authenticated admin users in Zammad to perform Server-Side Request Forgery (SSRF) attacks. When webhooks return redirect res...
Apr 5, 2025This SSRF vulnerability in Fortinet FortiSandbox allows authenticated attackers to proxy internal requests to plaintext endpoints via crafted HTTP req...
Jan 13, 2026A Server-Side Request Forgery (SSRF) vulnerability in Desktop Alert PingAlert versions 6.1.0.11 to 6.1.1.2 allows attackers to make the application se...
Nov 14, 2025LangChain versions before 1.2.11 contain a Server-Side Request Forgery (SSRF) vulnerability in the ChatOpenAI.get_num_tokens_from_messages() method. A...
Feb 10, 2026This CVE describes a security bypass vulnerability in Webpack's HTTP(S) resolver when the experiments.buildHttp feature is enabled. It allows attacker...
Feb 5, 2026This CVE describes a security bypass vulnerability in Webpack's HTTP(S) resolver when the experiments.buildHttp feature is enabled. Attackers can craf...
Feb 5, 2026This SSRF vulnerability in Backstage's FetchUrlReader component allows attackers who control allowed hosts to bypass URL allowlist restrictions via HT...
Jan 21, 2026This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in M-Files Server products. It allows attackers to make unauthorized queries fro...
Jan 18, 2022This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in feiyuchuixue sz-boot-parent up to version 1.3.2-beta. Attackers can manipulat...
Feb 25, 2026This vulnerability in Keycloak's CIBA (Client Initiated Backchannel Authentication) feature allows attackers to make blind server-side requests to int...
Feb 2, 2026This vulnerability allows authenticated users with the 'change_authentication' capability to enumerate internal IP addresses and network ports when ad...
Dec 3, 2025The Church Admin WordPress plugin is vulnerable to Server-Side Request Forgery (SSRF) in all versions up to 5.0.28. This allows authenticated attacker...
Jan 17, 2026Angular SSR versions before 21.2.0-rc.1, 21.1.5, 20.3.17, and 19.2.21 have a Server-Side Request Forgery vulnerability where attackers can manipulate ...
Feb 25, 2026This CVE describes a blind Server-Side Request Forgery vulnerability in Omada Controllers that allows attackers to send crafted requests to internal s...
Jan 26, 2026This SSRF vulnerability in Sonatype Nexus Repository 3 allows authenticated administrators to configure proxy repositories with URLs that can access u...
Jan 14, 2026CVE-2025-64178 is a server-side request forgery (SSRF) vulnerability in Jellysweep, a cleanup tool for Jellyfin media servers. Authenticated users can...
Nov 6, 2025About Server-Side Request Forgery (SSRF) (CWE-918)
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Our database tracks 830 CVEs classified as CWE-918, with 178 rated critical and 315 rated high severity. The average CVSS score for Server-Side Request Forgery (SSRF) vulnerabilities is 7.2.
External reference: View CWE-918 on MITRE CWE →
Monitor Server-Side Request Forgery (SSRF) Vulnerabilities
Get alerted when new Server-Side Request Forgery (SSRF) CVEs affect your infrastructure.
Start Monitoring Free