CWE-918 · Server-Side Request Forgery (SSRF)

2776 CVEs classified under CWE-918 (Server-Side Request Forgery (SSRF)). Browse by severity and year.

Top CVEs for CWE-918
CVESeverityScorePublishedSummary
CVE-2026-49869Critical10.02026-06-26Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, AuthenticationFilter in Kestra OSS uses request.getPath().endsWith("…
CVE-2026-47938Critical10.02026-06-09Adobe Campaign Classic (ACC) versions 7.4.3 build 9394 and earlier are affected by a Server-Side Request Forgery (SSRF) vulnerability that could result in priv…
CVE-2026-33712Critical10.02026-05-22Typebot is a chatbot builder tool. In versions 3.15.2 and prior, the preview chat endpoint (POST /api/v1/typebots/{typebotId}/preview/startChat) allows unauthe…
CVE-2026-35431Critical10.02026-04-23Server-side request forgery (ssrf) in Microsoft Entra ID Entitlement Management allows an unauthorized attacker to perform spoofing over a network.
CVE-2026-32186Critical10.02026-04-03Server-side request forgery (ssrf) in Microsoft Bing allows an unauthorized attacker to elevate privileges over a network.
CVE-2026-33107Critical10.02026-04-03Server-side request forgery (ssrf) in Azure Databricks allows an unauthorized attacker to elevate privileges over a network.
CVE-2026-32871Critical10.02026-04-02FastMCP is a Pythonic way to build MCP servers and clients. Prior to version 3.2.0, the OpenAPIProvider in FastMCP exposes internal APIs to MCP clients by pars…
CVE-2026-34162Critical10.02026-03-31FastGPT is an AI Agent building platform. Prior to version 4.14.9.5, the FastGPT HTTP tools testing endpoint (/api/core/app/httpTools/runTool) is exposed witho…
CVE-2026-32169Critical10.02026-03-19Server-side request forgery (ssrf) in Azure Cloud Shell allows an unauthorized attacker to elevate privileges over a network.
CVE-2025-64180Critical10.02025-11-07Manager-io/Manager is accounting software. In Manager Desktop and Server versions 25.11.1.3085 and below, a critical vulnerability permits unauthorized access…
CVE-2025-59503Critical10.02025-10-23Server-side request forgery (ssrf) in Azure Compute Gallery allows an unauthorized attacker to elevate privileges over a network.
CVE-2025-53767Critical10.02025-08-07Azure OpenAI Elevation of Privilege Vulnerability
CVE-2025-54122Critical10.02025-07-21Manager-io/Manager is accounting software. A critical unauthenticated full read Server-Side Request Forgery (SSRF) vulnerability has been identified in the pro…
CVE-2025-2828Critical10.02025-06-23A Server-Side Request Forgery (SSRF) vulnerability exists in the RequestsToolkit component of the langchain-community package (specifically, langchain_communit…
CVE-2024-42467Critical10.02024-08-12openHAB, a provider of open-source home automation software, has add-ons including the visualization add-on CometVisu. Prior to version 4.2.1, the proxy endpoi…
CVE-2023-43654Critical10.02023-09-28TorchServe is a tool for serving and scaling PyTorch models in production. TorchServe default configuration lacks proper input validation, enabling third parti…
CVE-2023-39967Critical10.02023-09-06WireMock is a tool for mocking HTTP services. When certain request URLs like “@127.0.0.1:1234" are used in WireMock Studio configuration fields, the request mi…
CVE-2023-3432Critical10.02023-06-27Server-Side Request Forgery (SSRF) in GitHub repository plantuml/plantuml prior to 1.2023.9.
CVE-2022-21215Critical10.02022-02-18This vulnerability could allow an attacker to force the server to create and execute a web request granting access to backend APIs that are only accessible to…
CVE-2021-29475Critical10.02021-04-26HedgeDoc (formerly known as CodiMD) is an open-source collaborative markdown editor. An attacker is able to receive arbitrary files from the file system when e…