Total
1343 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-4399 | 1 Apereo | 1 Central Authentication Service | 2025-06-30 | N/A | N/A |
| The does not validate a parameter before making a request to it, which could allow unauthenticated users to perform SSRF attack | |||||
| CVE-2025-52477 | 2025-06-26 | N/A | N/A | ||
| Octo-STS is a GitHub App that acts like a Security Token Service (STS) for the GitHub API. Octo-STS versions before v0.5.3 are vulnerable to unauthenticated SSRF by abusing fields in OpenID Connect tokens. Malicious tokens were shown to trigger internal network requests which could reflect error logs with sensitive information. Upgrade to v0.5.3 to resolve this issue. This version includes patch sets to sanitize input and redact logging. | |||||
| CVE-2024-52588 | 1 Strapi | 1 Strapi | 2025-06-24 | N/A | 7.5 HIGH |
| Strapi is an open-source content management system. Prior to version 4.25.2, inputting a local domain into the Webhooks URL field leads to the application fetching itself, resulting in a server side request forgery (SSRF). This issue has been patched in version 4.25.2. | |||||
| CVE-2025-52967 | 2025-06-23 | N/A | N/A | ||
| gateway_proxy_handler in MLflow before 3.1.0 lacks gateway_path validation. | |||||
| CVE-2024-22648 | 1 Seopanel | 1 Seo Panel | 2025-06-20 | N/A | 5.3 MEDIUM |
| A Blind SSRF vulnerability exists in the "Crawl Meta Data" functionality of SEO Panel version 4.10.0. This makes it possible for remote attackers to scan ports in the local environment. | |||||
| CVE-2023-38627 | 1 Trendmicro | 1 Apex Central | 2025-06-20 | N/A | 5.4 MEDIUM |
| A post-authenticated server-side request forgery (SSRF) vulnerability in Trend Micro Apex Central 2019 (lower than build 6481) could allow an attacker to interact with internal or local services directly. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. This is a similar, but not identical vulnerability as CVE-2023-38626. | |||||
| CVE-2023-38625 | 1 Trendmicro | 1 Apex Central | 2025-06-20 | N/A | 5.4 MEDIUM |
| A post-authenticated server-side request forgery (SSRF) vulnerability in Trend Micro Apex Central 2019 (lower than build 6481) could allow an attacker to interact with internal or local services directly. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. This is a similar, but not identical vulnerability as CVE-2023-38624. | |||||
| CVE-2023-38624 | 1 Trendmicro | 1 Apex Central | 2025-06-20 | N/A | 5.4 MEDIUM |
| A post-authenticated server-side request forgery (SSRF) vulnerability in Trend Micro Apex Central 2019 (lower than build 6481) could allow an attacker to interact with internal or local services directly. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. This is a similar, but not identical vulnerability as CVE-2023-38625 through CVE-2023-38627. | |||||
| CVE-2023-52331 | 1 Trendmicro | 1 Apex Central | 2025-06-20 | N/A | 7.1 HIGH |
| A post-authenticated server-side request forgery (SSRF) vulnerability in Trend Micro Apex Central could allow an attacker to interact with internal or local services directly. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. | |||||
| CVE-2023-38626 | 1 Trendmicro | 1 Apex Central | 2025-06-20 | N/A | 5.4 MEDIUM |
| A post-authenticated server-side request forgery (SSRF) vulnerability in Trend Micro Apex Central 2019 (lower than build 6481) could allow an attacker to interact with internal or local services directly. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. This is a similar, but not identical vulnerability as CVE-2023-38625. | |||||
| CVE-2025-49985 | 2025-06-20 | N/A | N/A | ||
| Server-Side Request Forgery (SSRF) vulnerability in Ali Irani Auto Upload Images allows Server Side Request Forgery. This issue affects Auto Upload Images: from n/a through 3.3.2. | |||||
| CVE-2025-49983 | 2025-06-20 | N/A | N/A | ||
| Server-Side Request Forgery (SSRF) vulnerability in Joe Hoyle WPThumb allows Server Side Request Forgery. This issue affects WPThumb: from n/a through 0.10. | |||||
| CVE-2025-49984 | 2025-06-20 | N/A | N/A | ||
| Server-Side Request Forgery (SSRF) vulnerability in Angelo Mandato PowerPress Podcasting allows Server Side Request Forgery. This issue affects PowerPress Podcasting: from n/a through 11.12.11. | |||||
| CVE-2025-52713 | 2025-06-20 | N/A | N/A | ||
| Server-Side Request Forgery (SSRF) vulnerability in BoldGrid Post and Page Builder by BoldGrid – Visual Drag and Drop Editor allows Server Side Request Forgery. This issue affects Post and Page Builder by BoldGrid – Visual Drag and Drop Editor: from n/a through 1.27.8. | |||||
| CVE-2025-47293 | 2025-06-19 | N/A | N/A | ||
| PowSyBl (Power System Blocks) is a framework to build power system oriented software. Prior to version 6.7.2, in certain places, powsybl-core XML parsing is vulnerable to an XML external entity (XXE) attack and to a server-side request forgery (SSRF) attack. This allows an attacker to elevate their privileges to read files that they do not have permissions to, including sensitive files on the system. The vulnerable class is com.powsybl.commons.xml.XmlReader which is considered to be untrusted in use cases where untrusted users can submit their XML to the vulnerable methods. This can be a multi-tenant application that hosts many different users perhaps with different privilege levels. This issue has been patched in com.powsybl:powsybl-commons: 6.7.2. | |||||
| CVE-2025-49877 | 2025-06-17 | N/A | N/A | ||
| Server-Side Request Forgery (SSRF) vulnerability in Metagauss ProfileGrid allows Server Side Request Forgery. This issue affects ProfileGrid : from n/a through 5.9.5.2. | |||||
| CVE-2025-6142 | 2025-06-16 | N/A | 6.3 MEDIUM | ||
| A vulnerability was found in Intera InHire up to 20250530. It has been declared as critical. Affected by this vulnerability is an unknown functionality. The manipulation of the argument 29chcotoo9 leads to server-side request forgery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2023-6991 | 1 Surniaulula | 1 Jsm File Get Contents\(\) Shortcode | 2025-06-11 | N/A | 8.8 HIGH |
| The JSM file_get_contents() Shortcode WordPress plugin before 2.7.1 does not validate one of its shortcode's parameters before making a request to it, which could allow users with contributor role and above to perform SSRF attacks. | |||||
| CVE-2024-6584 | 1 Automattic | 1 Jetpack Boost | 2025-06-11 | N/A | N/A |
| The 'wp_ajax_boost_proxy_ig' action allows administrators to make GET requests to arbitrary URLs. | |||||
| CVE-2025-30220 | 2025-06-10 | N/A | N/A | ||
| GeoServer is an open source server that allows users to share and edit geospatial data. GeoTools Schema class use of Eclipse XSD library to represent schema data structure is vulnerable to XML External Entity (XXE) exploit. This impacts whoever exposes XML processing with gt-xsd-core involved in parsing, when the documents carry a reference to an external XML schema. The gt-xsd-core Schemas class is not using the EntityResolver provided by the ParserHandler (if any was configured). This also impacts users of gt-wfs-ng DataStore where the ENTITY_RESOLVER connection parameter was not being used as intended. This vulnerability is fixed in GeoTools 33.1, 32.3, 31.7, and 28.6.1, GeoServer 2.27.1, 2.26.3, and 2.25.7, and GeoNetwork 4.4.8 and 4.2.13. | |||||