Total
1827 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-1799 | 1 Skycaiji | 1 Skycaiji | 2025-06-12 | 6.3 Medium |
| A vulnerability, which was classified as critical, was found in Zorlan SkyCaiji 2.9. This affects the function previewAction of the file vendor/skycaiji/app/admin/controller/Tool.php. The manipulation of the argument data leads to server-side request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-31116 | 1 Opensecurity | 1 Mobile Security Framework | 2025-06-12 | 4.4 Medium |
| Mobile Security Framework (MobSF) is a pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. The mitigation for CVE-2024-29190 in valid_host() uses socket.gethostbyname(), which is vulnerable to SSRF abuse using DNS rebinding technique. This vulnerability is fixed in 4.3.2. | ||||
| CVE-2025-45887 | 1 Wanglongcn | 1 Yifang | 2025-06-12 | 9.1 Critical |
| Yifang CMS v2.0.2 is vulnerable to Server-Side Request Forgery (SSRF) in /api/file/getRemoteContent. | ||||
| CVE-2025-25065 | 1 Synacor | 1 Zimbra Collaboration Suite | 2025-06-11 | 5.3 Medium |
| SSRF vulnerability in the RSS feed parser in Zimbra Collaboration 9.0.0 before Patch 43, 10.0.x before 10.0.12, and 10.1.x before 10.1.4 allows unauthorized redirection to internal network endpoints. | ||||
| CVE-2023-6991 | 1 Surniaulula | 1 Jsm File Get Contents\(\) Shortcode | 2025-06-11 | 8.8 High |
| The JSM file_get_contents() Shortcode WordPress plugin before 2.7.1 does not validate one of its shortcode's parameters before making a request to it, which could allow users with contributor role and above to perform SSRF attacks. | ||||
| CVE-2024-6584 | 1 Automattic | 1 Jetpack Boost | 2025-06-11 | 9.1 Critical |
| The 'wp_ajax_boost_proxy_ig' action allows administrators to make GET requests to arbitrary URLs. | ||||
| CVE-2024-33117 | 1 Crmeb | 1 Crmeb Java | 2025-06-11 | 5.3 Medium |
| crmeb_java v1.3.4 was discovered to contain a Server-Side Request Forgery (SSRF) via the mergeList method in class com.zbkj.front.pub.ImageMergeController. | ||||
| CVE-2024-48178 | 1 Newbee-mall Project | 1 Newbee-mall | 2025-06-10 | 8.1 High |
| newbee-mall v1.0.0 is vulnerable to Server-Side Request Forgery (SSRF) via the goodsCoverImg parameter. | ||||
| CVE-2025-5327 | 1 Chshcms | 1 Mccms | 2025-06-10 | 6.3 Medium |
| A vulnerability was found in chshcms mccms 2.7. It has been classified as critical. This affects the function index of the file sys/apps/controllers/api/Gf.php. The manipulation of the argument pic leads to server-side request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-45479 | 1 Apache | 1 Ranger | 2025-06-10 | 9.1 Critical |
| SSRF vulnerability in Edit Service Page of Apache Ranger UI in Apache Ranger Version 2.4.0. Users are recommended to upgrade to version Apache Ranger 2.5.0, which fixes this issue. | ||||
| CVE-2024-25187 | 1 Xiaocheng-keji | 1 71cms | 2025-06-10 | 8.6 High |
| Server Side Request Forgery (SSRF) vulnerability in 71cms v1.0.0, allows remote unauthenticated attackers to obtain sensitive information via getweather.html. | ||||
| CVE-2024-22873 | 1 Tencent | 1 Blueking Configuration Management Database | 2025-06-09 | 8.1 High |
| Tencent Blueking CMDB v3.2.x to v3.9.x was discovered to contain a Server-Side Request Forgery (SSRF) via the event subscription function (/service/subscription.go). This vulnerability allows attackers to access internal requests via a crafted POST request. | ||||
| CVE-2025-5510 | 1 Quequnlong | 1 Shiyi-blog | 2025-06-09 | 6.3 Medium |
| A vulnerability classified as critical was found in quequnlong shiyi-blog up to 1.2.1. This vulnerability affects unknown code of the file /app/sys/article/optimize. The manipulation of the argument url leads to server-side request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-1021 | 1 Ruifang-tech | 1 Rebuild | 2025-06-06 | 6.3 Medium |
| A vulnerability, which was classified as critical, has been found in Rebuild up to 3.5.5. Affected by this issue is the function readRawText of the component HTTP Request Handler. The manipulation of the argument url leads to server-side request forgery. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-252290 is the identifier assigned to this vulnerability. | ||||
| CVE-2025-30997 | 2025-06-06 | 5.4 Medium | ||
| Server-Side Request Forgery (SSRF) vulnerability in SmartDataSoft Car Repair Services allows Server Side Request Forgery. This issue affects Car Repair Services: from n/a through 5.0. | ||||
| CVE-2025-29008 | 2025-06-06 | 4.9 Medium | ||
| Server-Side Request Forgery (SSRF) vulnerability in ShawonPro SocialMark allows Server Side Request Forgery. This issue affects SocialMark: from n/a through 2.0.7. | ||||
| CVE-2024-6155 | 1 Greenshiftwp | 1 Greenshift - Animation And Page Builder Blocks | 2025-06-05 | 6.4 Medium |
| The Greenshift – animation and page builder blocks plugin for WordPress is vulnerable to Authenticated (Subscriber+) Server-Side Request Forgery and Stored Cross Site Scripting in all versions up to, and including, 9.0.0 due to a missing capability check in the greenshift_download_file_localy function, along with no SSRF protection and sanitization on uploaded SVG files. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application that can also be leveraged to download malicious SVG files containing Cross-Site Scripting payloads to the server. On Cloud-based servers, attackers could retrieve the instance metadata. The issue was partially patched in version 8.9.9 and fully patched in version 9.0.1. | ||||
| CVE-2023-35817 | 1 Devexpress | 1 Devexpress | 2025-06-05 | 5 Medium |
| DevExpress before 23.1.3 allows AsyncDownloader SSRF. | ||||
| CVE-2023-46480 | 1 Owncast Project | 1 Owncast | 2025-06-05 | 9.8 Critical |
| An issue in OwnCast v.0.1.1 allows a remote attacker to execute arbitrary code and obtain sensitive information via the authHost parameter of the indieauth function. | ||||
| CVE-2023-49094 | 1 Sentry | 1 Symbolicator | 2025-06-05 | 4.3 Medium |
| Symbolicator is a symbolication service for native stacktraces and minidumps with symbol server support. An attacker could make Symbolicator send arbitrary GET HTTP requests to internal IP addresses by using a specially crafted HTTP endpoint. The response could be reflected to the attacker if they have an account on Sentry instance. The issue has been fixed in the release 23.11.2. | ||||