Total
2645 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-46531 | 2026-06-17 | N/A | 4.9 MEDIUM | ||
| Server-Side Request Forgery (SSRF) vulnerability in Ankur Vishwakarma WP AVCL Automation Helper (formerly WPFlyLeads) woozap allows Server Side Request Forgery.This issue affects WP AVCL Automation Helper (formerly WPFlyLeads): from n/a through <= 3.4. | |||||
| CVE-2025-46511 | 2026-06-17 | N/A | 6.4 MEDIUM | ||
| Server-Side Request Forgery (SSRF) vulnerability in Derek Springer BeerXML Shortcode beerxml-shortcode allows Server Side Request Forgery.This issue affects BeerXML Shortcode: from n/a through <= 0.7.1. | |||||
| CVE-2025-46503 | 2026-06-17 | N/A | 4.9 MEDIUM | ||
| Server-Side Request Forgery (SSRF) vulnerability in josheli Simple Google Photos Grid simple-google-photos-grid allows Server Side Request Forgery.This issue affects Simple Google Photos Grid: from n/a through <= 1.5. | |||||
| CVE-2025-46443 | 2026-06-17 | N/A | 4.9 MEDIUM | ||
| Server-Side Request Forgery (SSRF) vulnerability in Adam Pery Animate animate allows Server Side Request Forgery.This issue affects Animate: from n/a through <= 0.5. | |||||
| CVE-2025-46385 | 2026-06-17 | N/A | 8.6 HIGH | ||
| CWE-918 Server-Side Request Forgery (SSRF) | |||||
| CVE-2025-46341 | 1 Freshrss | 1 Freshrss | 2026-06-17 | N/A | 7.1 HIGH |
| FreshRSS is a self-hosted RSS feed aggregator. Prior to version 1.26.2, when the server is using HTTP auth via reverse proxy, it's possible to impersonate any user either via the `Remote-User` header or the `X-WebAuth-User` header by making specially crafted requests via the add feed functionality and obtaining the CSRF token via XPath scraping. The attacker has to know the IP address of the proxied FreshRSS instance and the admin's username, while also having an account on the instance. An attacker can send specially crafted requests in order to gain unauthorized access to internal services. This can also lead to privilege escalation like in the demonstrated scenario, although users that have setup OIDC are not affected by privilege escalation. Version 1.26.2 contains a patch for the issue. | |||||
| CVE-2025-45939 | 1 Apwide | 1 Golive | 2026-06-17 | N/A | 6.5 MEDIUM |
| Apwide Golive 10.2.0 Jira plugin allows Server-Side Request Forgery (SSRF) via the test webhook function. | |||||
| CVE-2025-45887 | 1 Wanglongcn | 1 Yifang | 2026-06-17 | N/A | 9.1 CRITICAL |
| Yifang CMS v2.0.2 is vulnerable to Server-Side Request Forgery (SSRF) in /api/file/getRemoteContent. | |||||
| CVE-2025-45872 | 1 Zrlog | 1 Zrlog | 2026-06-17 | N/A | 9.8 CRITICAL |
| zrlog v3.1.5 was discovered to contain a Server-Side Request Forgery (SSRF) via the downloadUrl parameter. | |||||
| CVE-2025-45475 | 1 Maccms | 1 Maccms | 2026-06-17 | N/A | 5.4 MEDIUM |
| maccms10 v2025.1000.4047 is vulnerable to Server-Side request forgery (SSRF) in Friend Link Management. | |||||
| CVE-2025-45474 | 1 Maccms | 1 Maccms | 2026-06-17 | N/A | 7.3 HIGH |
| maccms10 v2025.1000.4047 is vulnerable to Server-side request forgery (SSRF) in Email Settings. | |||||
| CVE-2025-45250 | 1 Mrdoc | 1 Mrdoc | 2026-06-17 | N/A | 5.5 MEDIUM |
| MrDoc v0.95 and before is vulnerable to Server-Side Request Forgery (SSRF) in the validate_url function of the app_doc/utils.py file. | |||||
| CVE-2025-44594 | 1 Halo | 1 Halo | 2026-06-17 | N/A | 9.1 CRITICAL |
| halo v2.20.17 and before is vulnerable to server-side request forgery (SSRF) in /apis/uc.api.storage.halo.run/v1alpha1/attachments/-/upload-from-url. | |||||
| CVE-2025-44043 | 2026-06-17 | N/A | 5.4 MEDIUM | ||
| Keyoti SearchUnit prior to 9.0.0. is vulnerable to Server-Side Request Forgery (SSRF) in /Keyoti_SearchEngine_Web_Common/SearchService.svc/GetResults and /Keyoti_SearchEngine_Web_Common/SearchService.svc/GetLocationAndContentCategories. An attacker can specify their own SMB server as the indexDirectory value when making POST requests to the affected components. In doing so an attacker can get the SearchUnit server to read and write configuration and log files from/to the attackers server. | |||||
| CVE-2025-43763 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2026-06-17 | N/A | 6.5 MEDIUM |
| A server-side request forgery (SSRF) vulnerability exist in the Liferay Portal 7.4.0 through 7.4.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13 and 2024.Q1.1 through 2024.Q1.20 that affects custom object attachment fields. This flaw allows an attacker to manipulate the application into making unauthorized requests to other instances, creating new object entries that link to external resources. | |||||
| CVE-2025-43747 | 1 Liferay | 1 Digital Experience Platform | 2026-06-17 | N/A | 6.5 MEDIUM |
| A server-side request forgery (SSRF) vulnerability exists in the Liferay DXP 2025.Q2.0 through 2025.Q2.3 due to insecure domain validation on analytics.cloud.domain.allowed, allowing an attacker to perform requests by change the domain and bypassing the validation method, this insecure validation is not distinguishing between trusted subdomains and malicious domains. | |||||
| CVE-2025-42988 | 1 Sap | 1 Businessobjects Business Intelligence Platform | 2026-06-17 | N/A | 3.7 LOW |
| Under certain conditions, SAP Business Objects Business Intelligence Platform allows an unauthenticated attacker to enumerate HTTP endpoints in the internal network by specially crafting HTTP requests. This disclosure of information could further enable the researcher to cause SSRF. It has no impact on integrity and availability of the application. | |||||
| CVE-2025-42965 | 2026-06-17 | N/A | 4.1 MEDIUM | ||
| SAP CMC Promotion Management allows an authenticated attacker to enumerate internal network systems by submitting crafted requests during job source configuration. By analysing response times for various IP addresses and ports, the attacker can infer valid network endpoints. Successful exploitation may lead to information disclosure. This vulnerability does not impact the integrity or availability of the application. | |||||
| CVE-2025-42907 | 2026-06-17 | N/A | 4.3 MEDIUM | ||
| SAP BI Platform allows an attacker to modify the IP address of the LogonToken for the OpenDoc. On accessing the modified link in the browser a different server could get the ping request. This has low impact on integrity with no impact on confidentiality and availability of the system. | |||||
| CVE-2025-40595 | 2026-06-17 | N/A | 7.2 HIGH | ||
| A Server-side request forgery (SSRF) vulnerability has been identified in the SMA1000 Appliance Work Place interface. By using an encoded URL, a remote unauthenticated attacker could potentially cause the appliance to make requests to unintended location. | |||||