SSRF

The PixelYourSite Pro WordPress plugin is vulnerable to server-side request forgery (SSRF), allowing unauthenticated attackers to make arbitrary web requests from the server, potentially querying or modifying internal services.

The n8n-mcp SDK embedder path is vulnerable to server-side request forgery (SSRF) due to the synchronous URL validator in `SSRFProtection.validateUrlSync()` not checking for IPv6 addresses, allowing attackers to access cloud metadata endpoints, RFC1918 private networks, or localhost services by supplying a crafted `n8nApiUrl`.

Gotenberg version 8.29.1 is vulnerable to Server-Side Request Forgery (SSRF) due to an unfiltered webhook URL, allowing unauthenticated attackers to force outbound HTTP POST requests to arbitrary destinations, enabling internal network probing and interaction with internal services.

OpenClaw before 2026.4.8 is vulnerable to server-side request forgery (SSRF) in QQ Bot media download paths, allowing attackers to bypass SSRF protections and access internal resources.

A server-side request forgery (SSRF) vulnerability in ChatGPTNextWeb NextChat up to version 2.16.1 allows remote attackers to manipulate the proxyHandler function, potentially leading to unauthorized internal resource access.

A server-side request forgery (SSRF) vulnerability exists in Typecho up to version 1.3.0, allowing remote attackers to manipulate the X-Pingback/link argument in the Service::sendPingHandle function to potentially make arbitrary HTTP requests.

WWBN AVideo versions 29.0 and below are vulnerable to Server-Side Request Forgery (SSRF) due to an incomplete fix in the LiveLinks proxy, potentially allowing attackers to redirect traffic to internal endpoints.

A server-side request forgery (SSRF) vulnerability exists in moxi624 Mogu Blog v2 up to version 5.2, specifically affecting the `LocalFileServiceImpl.uploadPictureByUrl` function, allowing remote attackers to potentially interact with internal resources.

Movary versions before 0.71.1 are vulnerable to server-side request forgery (SSRF) via the `/settings/jellyfin/server-url-verify` endpoint, allowing authenticated users to probe internal network resources.

Flowise is vulnerable to SSRF protection bypass via unprotected built-in HTTP modules in the custom function sandbox, allowing authenticated users to access internal network resources by exploiting the lack of SSRF protection on Node.js `http`, `https`, and `net` modules.

A Server-Side Request Forgery (SSRF) vulnerability in Webkul Krayin CRM v2.2.x allows attackers to scan internal resources by sending a crafted POST request to the /settings/webhooks/create endpoint.

A Server-Side Request Forgery (SSRF) vulnerability in Kyverno's CEL HTTP library allows users with namespace-scoped policy creation permissions to make arbitrary HTTP requests, enabling unauthorized access to internal services, cloud metadata endpoints, and data exfiltration.

SiYuan is vulnerable to zero-click NTLM hash theft on Windows and blind SSRF on all platforms due to insecure Mermaid.js configuration, where a malicious Mermaid diagram containing a protocol-relative URL can be injected into a note, causing the Electron client to fetch the URL, triggering SMB authentication on Windows and sending the victim's NTLMv2 hash to the attacker. On macOS and Linux, the request acts as a tracking pixel and blind SSRF.

Postiz, an AI social media scheduling tool, is vulnerable to Server-Side Request Forgery (SSRF) in versions prior to 2.21.5, allowing attackers to access internal resources.

A Server-Side Request Forgery (SSRF) vulnerability exists in Chamilo LMS versions prior to 1.11.38 and 2.0.0-RC.3, allowing authenticated attackers to make arbitrary HTTP requests, scan internal ports, and access cloud instance metadata via the Social Wall feature.

PraisonAI versions prior to 4.5.128 are vulnerable to Server-Side Request Forgery (SSRF) due to a lack of URL validation on the webhook_url parameter in the /api/v1/runs endpoint, allowing unauthenticated attackers to send arbitrary POST requests from the server.

Axios is vulnerable to a NO_PROXY hostname normalization bypass leading to SSRF, where requests to loopback addresses like `localhost.` or `[::1]` bypass `NO_PROXY` rules, allowing attackers to force requests through a proxy and potentially exfiltrate sensitive data.

Plane project management tool versions before 1.3.0 are vulnerable to Server-Side Request Forgery (SSRF), allowing authenticated low-privilege attackers to read internal resources by exploiting the favicon fetch functionality.

The mcp-from-openapi library is vulnerable to Server-Side Request Forgery (SSRF) due to insecure handling of $ref pointers in OpenAPI specifications, allowing attackers to read local files, internal network resources, and cloud metadata endpoints by processing untrusted OpenAPI specifications.

CVE-2026-1343 allows an attacker to contact internal authentication endpoints protected by the Reverse Proxy in IBM Verify Identity Access Container and IBM Security Verify Access Container.

WWBN AVideo is vulnerable to Server-Side Request Forgery (SSRF) due to an incomplete fix for CVE-2026-27732, allowing authenticated uploaders to bypass SSRF protection by providing a `downloadURL` with a common media extension, leading to internal response exfiltration.

OpenObserve versions 0.70.3 and earlier are vulnerable to a server-side request forgery (SSRF) attack due to improper validation of IPv6 addresses in the validate_enrichment_url function, potentially allowing authenticated attackers to access internal services and retrieve sensitive cloud metadata.

The text-generation-webui application before version 4.3 is vulnerable to server-side request forgery (SSRF) due to insufficient validation of user-supplied URLs by the superbooga and superboogav2 RAG extensions, potentially leading to credential theft and internal network reconnaissance.

A server-side request forgery (SSRF) vulnerability exists in assafelovic gpt-researcher up to version 3.4.3, affecting the ws Endpoint component, allowing a remote attacker to manipulate the source_urls argument and potentially access internal resources or conduct further attacks.

A critical Server-Side Request Forgery (SSRF) vulnerability in Budibase's REST datasource connector allows attackers with Builder privileges to exfiltrate sensitive data from internal network services due to a missing default IP blacklist.

curl_cffi versions before 0.15.0 are vulnerable to server-side request forgery (SSRF) due to unrestricted redirects to internal IP ranges, potentially enabling access to sensitive internal resources and cloud metadata.

prompts.chat prior to commit 30a8f04 is vulnerable to server-side request forgery (SSRF) in Fal.ai media status polling, allowing authenticated users to perform arbitrary outbound requests by supplying attacker-controlled URLs, leading to potential credential theft and internal network probing.

Ech0 is vulnerable to Server-Side Request Forgery (SSRF) due to an unauthenticated API endpoint (`/api/website/title`) that fetches website titles from user-controlled URLs, lacking proper validation and TLS verification, allowing attackers to access internal resources and potentially cause denial of service.

A server-side request forgery (SSRF) vulnerability, identified as CVE-2026-33107, exists in Azure Databricks, allowing an unauthorized attacker to elevate privileges over a network.

A server-side request forgery (SSRF) vulnerability exists in huimeicloud hm_editor up to version 2.2.3, allowing remote attackers to manipulate the 'url' argument in the client.get function of src/mcp-server.js to potentially access internal resources.

The Webmention plugin for WordPress is vulnerable to Server-Side Request Forgery (SSRF) in versions up to 5.6.2, allowing unauthenticated attackers to make arbitrary web requests and potentially query or modify internal services.

PraisonAI versions 4.5.89 and earlier are vulnerable to SSRF via the `api_base` parameter in the `passthrough()` function, allowing attackers to make requests to internal services or external hosts, potentially leading to IAM credential theft on cloud infrastructure or access to internal services within the VPC.

Payload CMS versions before 3.79.1 are vulnerable to Server-Side Request Forgery (SSRF) allowing authenticated users with upload access to trigger outbound HTTP requests to arbitrary URLs.

OpenClaw versions 2026.3.24 and earlier are vulnerable to Server-Side Request Forgery (SSRF) because of unguarded configured base URLs in multiple channel extensions, allowing attackers to potentially access internal resources.

A server-side request forgery vulnerability exists in elecV2 elecV2P up to 3.8.3, affecting the eAxios function within the /mock URL handler, allowing remote attackers to manipulate the req argument and potentially conduct internal reconnaissance or other malicious activities.

LibreChat versions prior to 0.8.3 are vulnerable to Server-Side Request Forgery (SSRF), allowing authenticated users to bypass IP address validation and make the server issue HTTP requests to internal network resources.

A server-side request forgery (SSRF) vulnerability exists in the `clerkFrontendApiProxy` function of the `@clerk/backend` package, allowing an unauthenticated attacker to send the application's `Clerk-Secret-Key` to an attacker-controlled server.

The Oxygen Theme for WordPress is vulnerable to Server-Side Request Forgery (SSRF) in versions up to 6.0.8, allowing unauthenticated attackers to make arbitrary web requests via the laborator_calc_route AJAX action.

LinkAce versions prior to 2.5.3 are vulnerable to server-side request forgery (SSRF), allowing an authenticated user to trigger server-side requests to internal services by referencing internal hostnames.

A high-severity SSRF vulnerability exists in the Postiz application via Next.js, allowing attackers to bypass firewalls, scan internal networks, access sensitive cloud metadata (AWS IMDS), potentially leak instance credentials, and pivot within the internal network.

A server-side request forgery (SSRF) vulnerability (CVE-2026-4953) exists in mingSoft MCMS version 5.5.0, allowing remote attackers to manipulate the 'catchimage' argument in the catchImage function to potentially access or interact with internal resources.

Spring AI's spring-ai-bedrock-converse library is vulnerable to Server-Side Request Forgery (SSRF) due to insufficient validation of user-supplied media URLs in multimodal messages, allowing attackers to trigger HTTP requests to internal or external destinations.

An anonymous remote attacker can exploit multiple vulnerabilities in cPanel/WHM to bypass security measures, perform XSS and SSRF attacks, disclose information, and potentially execute code.

A remote attacker can exploit multiple vulnerabilities in Apache CXF to disclose information and perform Server-Side Request Forgery (SSRF) attacks.

A server-side request forgery (SSRF) vulnerability exists in the DefaultFuction Jeson-Customer-Relationship-Management-System's API Module, specifically affecting the /api/System.php file, allowing remote attackers to manipulate the 'url' argument and potentially access internal resources.

AVideo versions up to 26.0 are vulnerable to an unauthenticated server-side request forgery (SSRF) vulnerability in the `plugin/Live/test.php` endpoint, allowing attackers to make the server send arbitrary HTTP requests, potentially exposing internal resources and cloud metadata.

A server-side request forgery (SSRF) vulnerability in Monetr's Lunch Flow integration allows authenticated users on self-hosted instances to send HTTP GET requests to arbitrary URLs, potentially exposing sensitive information.

PhpSpreadsheet is vulnerable to Server-Side Request Forgery (SSRF) and Remote Code Execution (RCE) due to improper validation of filenames in the IOFactory::load function, exploitable via PHP wrappers like `phar://` and `ftp://`.

Versions of i18next-http-middleware before 3.9.3 are vulnerable to prototype pollution, path traversal, and server-side request forgery (SSRF) due to improper validation of user-controlled language and namespace parameters, potentially leading to denial of service or remote code execution.

A server-side request forgery (SSRF) vulnerability exists in BigSweetPotatoStudio HyperChat up to version 2.0.0-alpha.63, allowing a remote attacker to manipulate the 'baseurl' argument in the 'fetch' function of the AI Proxy Middleware component to make arbitrary HTTP requests.

The Royal Elementor Addons plugin for WordPress is vulnerable to Server-Side Request Forgery (SSRF) allowing authenticated attackers with Contributor-level access or higher to make arbitrary requests and retrieve sensitive information from internal services.

Nginx-UI version 2.3.4 and earlier is vulnerable to Server-Side Request Forgery (SSRF) allowing authenticated users to access internal services by manipulating cluster node configurations.

A server-side request forgery (SSRF) vulnerability exists in AlejandroArciniegas' mcp-data-vis due to improper handling of HTTP requests, potentially allowing remote attackers to make arbitrary requests through the vulnerable server.

pygeoapi versions 0.23.0 to 0.23.2 contain an unauthenticated server-side request forgery (SSRF) vulnerability where OGC API process execution requests can use the subscriber object to make requests to internal HTTP services, which is resolved in version 0.23.3 by disabling internal requests by default.

A server-side request forgery vulnerability exists in JoeCastrom mcp-chat-studio up to version 1.5.0 in the LLM Models API component, allowing remote attackers to manipulate the req.query.base_url argument and potentially conduct further attacks.

ChatGPTNextWeb NextChat versions up to 2.16.1 are vulnerable to server-side request forgery (SSRF) due to improper input validation in the storeUrl function, allowing remote attackers to potentially access internal resources or conduct other malicious activities.

WeKan before 8.35 is vulnerable to server-side request forgery (SSRF), allowing attackers with integration modification privileges to set webhook URLs to internal network addresses, leading to unauthorized HTTP POST requests and potential comment manipulation.

A server-side request forgery vulnerability exists in TencentCloudBase CloudBase-MCP up to version 2.17.0, allowing remote attackers to manipulate the `req.body.url` argument in the `openUrl` function of `mcp/src/interactive-server.ts` to conduct SSRF attacks.

A vulnerability in RustFS allows a non-admin user to overwrite a shared admin-defined notification target, leading to event interception and audit evasion due to missing admin-action authorization on notification target admin API endpoints.

A server-side request forgery (SSRF) vulnerability exists in BidingCC BuildingAI up to version 26.0.1, allowing remote attackers to manipulate the `url` argument in the `uploadRemoteFile` function of `file-storage.service.ts` to conduct SSRF attacks.

A server-side request forgery (SSRF) vulnerability exists in Algovate xhs-mcp 0.8.11 within the xhs_publish_content function, allowing a remote attacker to manipulate the media_paths argument and potentially access internal resources.