CWE-918: Server-Side Request Forgery (SSRF)
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Yearly Trend
Top Affected Vendors
All Server-Side Request Forgery (SSRF) CVEs (803)
This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in Calibre-Web, an open-source web application for managing eBook collections. T...
Apr 4, 2022This vulnerability in the FormCraft WordPress plugin allows unauthenticated attackers to perform Server-Side Request Forgery (SSRF) attacks. Attackers...
Mar 21, 2022This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in the AllTube video downloader software. Attackers can exploit this vulnerabili...
Feb 28, 2022JetBrains Hub versions before 2021.1.14276 contain a blind Server-Side Request Forgery (SSRF) vulnerability that allows attackers to make unauthorized...
Feb 25, 2022This vulnerability in vscode-xml allows attackers to trigger schema downloads that can lead to blind server-side request forgery (SSRF) or denial of s...
Feb 18, 2022Myucms v2.2.1 contains a server-side request forgery (SSRF) vulnerability in the index.php controller's sj() method. This allows attackers to make arb...
Oct 6, 2021CVE-2021-34473 is a critical remote code execution vulnerability in Microsoft Exchange Server that allows unauthenticated attackers to execute arbitra...
Jul 14, 2021This SSRF vulnerability in ArcGIS Server Manager allows unauthenticated remote attackers to make arbitrary GET requests from the vulnerable system. Th...
Jul 11, 2021This CVE describes a server-side request forgery (SSRF) vulnerability in the WP Smart Import WordPress plugin version 1.0.0. Attackers can exploit the...
Jul 7, 2021Feehi CMS 2.1.1 has a server-side request forgery (SSRF) vulnerability where attackers can manipulate the HTTP Referer header to make the server send ...
May 24, 2021CVE-2021-26715 is a Server-Side Request Forgery (SSRF) vulnerability in MITREid Connect OpenID Connect server that allows unauthenticated attackers to...
Mar 25, 2021CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Microsoft Exchange Server that allows unauthenticated attackers to execute arb...
Mar 3, 2021CVE-2020-15152 is a Server-Side Request Forgery (SSRF) vulnerability in the ftp-srv npm package that allows attackers to make the FTP server initiate ...
Aug 17, 2020CVE-2024-32964 is an unauthenticated Server-Side Request Forgery (SSRF) vulnerability in Lobe Chat's /api/proxy endpoint. Attackers can exploit this t...
May 14, 2024Judge0's default configuration is vulnerable to Server-Side Request Forgery (SSRF) leading to sandbox escape. Attackers with API access can achieve ro...
Apr 18, 2024phpMoAdmin 1.1.5 contains a CSRF vulnerability that allows attackers to trick authenticated administrators into performing unauthorized database opera...
Feb 20, 2026This Server-Side Request Forgery (SSRF) vulnerability in Drupal's AI SEO Link Advisor module allows attackers to make unauthorized requests from the s...
Aug 15, 2025This Server-Side Request Forgery (SSRF) vulnerability in Microsoft Purview allows authenticated attackers to make the application send requests to int...
Jan 9, 2025This Server-Side Request Forgery (SSRF) vulnerability in Chatwoot allows attackers to upload malicious SVG files containing SSRF payloads. When these ...
Nov 15, 2024This vulnerability in Zimbra Collaboration allows authenticated users to perform Server-Side Request Forgery (SSRF) attacks due to improper input sani...
Oct 22, 2024CVE-2023-37229 is a Server-Side Request Forgery (SSRF) vulnerability in Loftware Spectrum versions before 5.1 that allows attackers to make unauthoriz...
Sep 10, 2024This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in Veeam software that allows low-privileged authenticated users to escalate pri...
Sep 7, 2024PublicCMS v4.0.202302.e contains a Server-Side Request Forgery vulnerability in the UEditor component's image capture functionality. This allows attac...
Jul 12, 2024CVE-2024-3152 affects mintplex-labs/anything-llm, allowing attackers to escalate privileges to admin, read/delete arbitrary files, and perform SSRF at...
Jun 6, 2024This vulnerability allows authenticated attackers to perform blind Server-Side Request Forgery (SSRF) attacks against RWS WorldServer, enabling them t...
Feb 29, 2024This SSRF vulnerability in xxl-job allows low-privileged users to make the server execute arbitrary requests to internal systems, potentially leading ...
Feb 8, 2024This vulnerability in the JSM file_get_contents() Shortcode WordPress plugin allows users with contributor role or higher to perform Server-Side Reque...
Jan 15, 2024This Server-Side Request Forgery (SSRF) vulnerability in LangChain allows attackers to make the application send requests from external servers to int...
Oct 19, 2023CVE-2023-39108 is a Server-Side Request Forgery (SSRF) vulnerability in rconfig v3.9.4 that allows authenticated attackers to make arbitrary HTTP requ...
Aug 1, 2023CVE-2023-39110 is a Server-Side Request Forgery (SSRF) vulnerability in rconfig v3.9.4 that allows authenticated attackers to make arbitrary HTTP requ...
Aug 1, 2023CVE-2023-31848 is a Server-Side Request Forgery (SSRF) vulnerability in davinci 0.3.0-rc that allows attackers to make unauthorized requests from the ...
May 17, 2023This Server-Side Request Forgery (SSRF) vulnerability in maccms10 allows attackers to make the application send arbitrary HTTP requests to internal or...
Feb 1, 2023The HubSpot WordPress plugin before version 8.8.15 contains a Server-Side Request Forgery (SSRF) vulnerability. It allows users with edit_posts capabi...
May 2, 2022This Server-Side Request Forgery vulnerability in Chamilo LMS allows attackers to make the server send requests to internal network resources and exec...
Apr 15, 2022CVE-2022-27245 is a Server-Side Request Forgery (SSRF) vulnerability in MISP (Malware Information Sharing Platform) that allows attackers to make unau...
Mar 18, 2022This CVE describes a server-side request forgery (SSRF) vulnerability in BookWyrm's cover image loading functionality. Authenticated users can exploit...
Feb 16, 2022CVE-2021-40809 is a Server-Side Request Forgery (SSRF) vulnerability in Jamf Pro that allows attackers to make unauthorized requests from the server t...
Dec 1, 2021This vulnerability in the pixxio TYPO3 extension allows Server-Side Request Forgery (SSRF) that can lead to remote code execution. Attackers with TYPO...
Nov 10, 2021CVE-2021-29844 is a server-side request forgery (SSRF) vulnerability in IBM Jazz Team Server products that allows authenticated attackers to make unau...
Oct 27, 2021This vulnerability allows authenticated users with guest privileges in F5 Advanced WAF and BIG-IP ASM Configuration utility to perform Server-Side Req...
Sep 14, 2021This is a server-side request forgery (SSRF) vulnerability in FortiManager and FortiAnalyser GUI that allows authenticated attackers to make unauthori...
Aug 5, 2021This vulnerability allows unauthenticated remote attackers to bypass access controls in Cisco Data Center Network Manager (DCNM) through a server-side...
Jan 20, 2021This Server-Side Request Forgery vulnerability in Microsoft Dynamics 365 Sales allows authenticated attackers to make unauthorized requests from the s...
Feb 6, 2025CVE-2021-32663 is an authentication bypass vulnerability in iTop ITSM software that allows unauthenticated attackers to access the system setup interf...
Oct 19, 2021This SSRF vulnerability in changedetection.io allows authenticated users (or any user when no password is configured, which is the default) to make th...
Feb 25, 2026This SSRF vulnerability in Astro web framework allows attackers to redirect error page requests to internal network resources by manipulating the Host...
Feb 24, 2026This SSRF vulnerability in Pydantic AI allows attackers to make the server request internal network resources when applications accept message history...
Feb 6, 2026This vulnerability allows authenticated attackers with connector management privileges to read arbitrary files and make arbitrary network requests by ...
Jan 14, 2026An unauthenticated Server-Side Request Forgery (SSRF) vulnerability in Infinera MTC-9 allows attackers to make the appliance send HTTPS requests to in...
Dec 8, 2025This vulnerability in Azure Monitor allows authenticated users to escalate privileges within the monitoring service, potentially gaining unauthorized ...
Nov 20, 2025About Server-Side Request Forgery (SSRF) (CWE-918)
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Our database tracks 803 CVEs classified as CWE-918, with 165 rated critical and 305 rated high severity. The average CVSS score for Server-Side Request Forgery (SSRF) vulnerabilities is 7.2.
External reference: View CWE-918 on MITRE CWE →
Monitor Server-Side Request Forgery (SSRF) Vulnerabilities
Get alerted when new Server-Side Request Forgery (SSRF) CVEs affect your infrastructure.
Start Monitoring Free