Total
1343 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-36560 | 2025-05-19 | N/A | N/A | ||
| Server-side request forgery vulnerability exists in a-blog cms multiple versions. If this vulnerability is exploited, a remote unauthenticated attacker may gain access to sensitive information by sending a specially crafted request. | |||||
| CVE-2024-13845 | 1 Rocketgenius | 1 Gravity Forms Webhooks | 2025-05-19 | N/A | 5.5 MEDIUM |
| The Gravity Forms WebHooks plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.6.0 via the 'process_feed' method of the GF_Webhooks class This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. | |||||
| CVE-2021-40438 | 11 Apache, Broadcom, Debian and 8 more | 40 Http Server, Brocade Fabric Operating System Firmware, Debian Linux and 37 more | 2025-05-16 | 6.8 MEDIUM | 9.0 CRITICAL |
| A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user. This issue affects Apache HTTP Server 2.4.48 and earlier. | |||||
| CVE-2025-47791 | 2025-05-16 | N/A | N/A | ||
| Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server prior to 28.0.13, 29.0.10, and 30.0.3 and Nextcloud Enterprise Server prior to 28.0.13, 29.0.10, and 30.0.3, a currently unused endpoint to verify a share recipient was not protected correctly, allowing to proxy requests to another server. The endpoint was removed in Nextcloud Server 28.0.13, 29.0.10, and 30.0.3 and Nextcloud Enterprise Server 28.0.13, 29.0.10, and 30.0.3. No known workarounds are available. | |||||
| CVE-2024-42168 | 1 Hcltech | 1 Dryice Myxalytics | 2025-05-16 | N/A | 9.4 CRITICAL |
| HCL MyXalytics is affected by out-of-band resource load (HTTP) vulnerability. An attacker can deploy a web server that returns malicious content, and then induce the application to retrieve and process that content. | |||||
| CVE-2024-4260 | 1 Godaddy | 1 Coblocks | 2025-05-16 | N/A | N/A |
| The Page Builder Gutenberg Blocks WordPress plugin before 3.1.12 does not prevent users from pinging arbitrary hosts via some of its shortcodes, which could allow high privilege users such as contributors to perform SSRF attacks. | |||||
| CVE-2024-24113 | 1 Xuxueli | 1 Xxl-job | 2025-05-15 | N/A | 8.8 HIGH |
| xxl-job =< 2.4.1 has a Server-Side Request Forgery (SSRF) vulnerability, which causes low-privileged users to control executor to RCE. | |||||
| CVE-2023-42282 | 1 Fedorindutny | 1 Ip | 2025-05-15 | N/A | 9.8 CRITICAL |
| The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic. | |||||
| CVE-2022-41495 | 1 Clippercms | 1 Clippercms | 2025-05-15 | N/A | 9.8 CRITICAL |
| ClipperCMS 1.3.3 was discovered to contain a Server-Side Request Forgery (SSRF) via the rss_url_news parameter at /manager/index.php. | |||||
| CVE-2022-41497 | 1 Clippercms | 1 Clippercms | 2025-05-15 | N/A | 9.8 CRITICAL |
| ClipperCMS 1.3.3 was discovered to contain a Server-Side Request Forgery (SSRF) via the pkg_url parameter at /manager/index.php. | |||||
| CVE-2022-41496 | 1 Idreamsoft | 1 Icms | 2025-05-15 | N/A | 9.8 CRITICAL |
| iCMS v7.0.16 was discovered to contain a Server-Side Request Forgery (SSRF) via the url parameter at admincp.php. | |||||
| CVE-2022-42149 | 1 Keking | 1 Kkfileview | 2025-05-14 | N/A | 9.8 CRITICAL |
| kkFileView 4.0 is vulnerable to Server-side request forgery (SSRF) via controller\OnlinePreviewController.java. | |||||
| CVE-2022-41477 | 1 Webidsupport | 1 Webid | 2025-05-14 | N/A | 9.1 CRITICAL |
| A security issue was discovered in WeBid <=1.2.2. A Server-Side Request Forgery (SSRF) vulnerability in the admin/theme.php file allows remote attackers to inject payloads via theme parameters to read files across directories. | |||||
| CVE-2024-10903 | 1 Managewp | 1 Broken Link Checker | 2025-05-14 | N/A | N/A |
| The Broken Link Checker WordPress plugin before 2.4.2 does not validate a the link URLs before making a request to them, which could allow admin users to perform SSRF attack, for example on a multisite installation. | |||||
| CVE-2024-13940 | 2025-05-14 | N/A | 5.5 MEDIUM | ||
| The Ninja Forms Webhooks plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.0.7 via the form webhook functionality. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. | |||||
| CVE-2025-0480 | 1 Wuzhicms | 1 Wuzhicms | 2025-05-13 | N/A | 4.3 MEDIUM |
| A vulnerability classified as problematic has been found in wuzhicms 4.1.0. This affects the function test of the file coreframe/app/search/admin/config.php. The manipulation of the argument sphinxhost/sphinxport leads to server-side request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-47548 | 1 Wbcomdesigns | 1 Activity Link Preview For Buddypress | 2025-05-12 | N/A | 9.8 CRITICAL |
| Server-Side Request Forgery (SSRF) vulnerability in Varun Dubey Wbcom Designs - Activity Link Preview For BuddyPress allows Server Side Request Forgery. This issue affects Wbcom Designs - Activity Link Preview For BuddyPress: from n/a through 1.4.4. | |||||
| CVE-2025-47635 | 1 Webinarpress | 1 Webinarpress | 2025-05-12 | N/A | 9.8 CRITICAL |
| Server-Side Request Forgery (SSRF) vulnerability in WPWebinarSystem WebinarPress allows Server Side Request Forgery. This issue affects WebinarPress: from n/a through 1.33.27. | |||||
| CVE-2025-4012 | 1 Playeduos | 1 Playedu | 2025-05-12 | N/A | 7.5 HIGH |
| A vulnerability was found in playeduxyz PlayEdu ?????? up to 1.8 and classified as problematic. This issue affects some unknown processing of the file /api/backend/v1/user/create of the component User Avatar Handler. The manipulation of the argument Avatar leads to server-side request forgery. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2023-7253 | 1 Importwp | 1 Import Wp | 2025-05-08 | N/A | N/A |
| The Import WP WordPress plugin before 2.13.1 does not prevent users with the administrator role from pinging conducting SSRF attacks, which may be a problem in multisite configurations. | |||||