Total
1542 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-4967 | 2025-05-30 | N/A | 9.1 CRITICAL | ||
| Esri Portal for ArcGIS 11.4 and prior allows a remote, unauthenticated attacker to bypass the Portal’s SSRF protections. | |||||
| CVE-2025-45474 | 2025-05-30 | N/A | 7.3 HIGH | ||
| maccms10 v2025.1000.4047 is vulnerable to Server-side request forgery (SSRF) in Email Settings. | |||||
| CVE-2021-31531 | 1 Zohocorp | 1 Manageengine Servicedesk Plus Msp | 2025-05-30 | 7.5 HIGH | 9.8 CRITICAL |
| Zoho ManageEngine ServiceDesk Plus MSP before 10521 is vulnerable to Server-Side Request Forgery (SSRF). | |||||
| CVE-2020-15594 | 1 Zohocorp | 1 Manageengine Application Control Plus | 2025-05-30 | 4.0 MEDIUM | 4.3 MEDIUM |
| An SSRF issue was discovered in Zoho Application Control Plus before version 10.0.511. The mail gateway configuration feature allows an attacker to perform a scan in order to discover open ports on a machine as well as available machines on the network segment on which the instance of the product is deployed. | |||||
| CVE-2019-6970 | 1 Moodle | 1 Moodle | 2025-05-30 | 6.0 MEDIUM | 7.5 HIGH |
| Moodle 3.5.x before 3.5.4 allows SSRF. | |||||
| CVE-2019-6516 | 1 Wso2 | 1 Dashboard Server | 2025-05-30 | 5.0 MEDIUM | 5.8 MEDIUM |
| An issue was discovered in WSO2 Dashboard Server 2.0.0. It is possible to force the application to perform requests to the internal workstation (port-scanning) and to perform requests to adjacent workstations (network-scanning), aka SSRF. | |||||
| CVE-2019-6512 | 1 Wso2 | 1 Api Manager | 2025-05-30 | 4.0 MEDIUM | 4.1 MEDIUM |
| An issue was discovered in WSO2 API Manager 2.6.0. It is possible to force the application to perform requests to the internal workstation (SSRF port-scanning), other adjacent workstations (SSRF network scanning), or to enumerate files because of the existence of the file:// wrapper. | |||||
| CVE-2019-3905 | 1 Zohocorp | 1 Manageengine Adselfservice Plus | 2025-05-30 | 7.5 HIGH | 10.0 CRITICAL |
| Zoho ManageEngine ADSelfService Plus 5.x before build 5703 has SSRF. | |||||
| CVE-2025-45475 | 2025-05-29 | N/A | 5.4 MEDIUM | ||
| maccms10 v2025.1000.4047 is vulnerable to Server-Side request forgery (SSRF) in Friend Link Management. | |||||
| CVE-2025-3954 | 1 Churchcrm | 1 Churchcrm | 2025-05-29 | 2.6 LOW | 3.7 LOW |
| A vulnerability, which was classified as problematic, has been found in ChurchCRM 5.16.0. Affected by this issue is some unknown functionality of the component Referer Handler. The manipulation leads to server-side request forgery. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-5276 | 2025-05-29 | N/A | 7.4 HIGH | ||
| All versions of the package mcp-markdownify-server are vulnerable to Server-Side Request Forgery (SSRF) via the Markdownify.get() function. An attacker can craft a prompt that, once accessed by the MCP host, can invoke the webpage-to-markdown, bing-search-to-markdown, and youtube-to-markdown tools to issue requests and read the responses to attacker-controlled URLs, potentially leaking sensitive information. | |||||
| CVE-2024-52588 | 2025-05-29 | N/A | 4.9 MEDIUM | ||
| Strapi is an open-source content management system. Prior to version 4.25.2, inputting a local domain into the Webhooks URL field leads to the application fetching itself, resulting in a server side request forgery (SSRF). This issue has been patched in version 4.25.2. | |||||
| CVE-2025-5186 | 2025-05-28 | 6.5 MEDIUM | 6.3 MEDIUM | ||
| A vulnerability was found in thinkgem JeeSite up to 5.11.1. It has been rated as critical. Affected by this issue is the function ResourceLoader.getResource of the file /cms/fileTemplate/form of the component URI Scheme Handler. The manipulation of the argument Name leads to server-side request forgery. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2022-40357 | 1 Zblogcn | 1 Z-blogphp | 2025-05-28 | N/A | 9.8 CRITICAL |
| A security issue was discovered in Z-BlogPHP <= 1.7.2. A Server-Side Request Forgery (SSRF) vulnerability in the zb_users/plugin/UEditor/php/action_crawler.php file allows remote attackers to force the application to make arbitrary requests via injection of arbitrary URLs into the source parameter. | |||||
| CVE-2022-38931 | 1 Baijiacms Project | 1 Baijiacms | 2025-05-28 | N/A | 8.8 HIGH |
| A Server-Side Request Forgery (SSRF) in fetch_net_file_upload function of baijiacmsV4 v4.1.4 allows remote attackers to force the application to make arbitrary requests via injection of arbitrary URLs into the url parameter. | |||||
| CVE-2022-30579 | 1 Tibco | 2 Spotfire Analytics Platform, Spotfire Server | 2025-05-28 | N/A | 7.1 HIGH |
| The Web Player component of TIBCO Software Inc.'s TIBCO Spotfire Analytics Platform for AWS Marketplace and TIBCO Spotfire Server contains a difficult to exploit vulnerability that allows a low privileged attacker with network access to execute blind Server Side Request Forgery (SSRF) on the affected system. Affected releases are TIBCO Software Inc.'s TIBCO Spotfire Analytics Platform for AWS Marketplace: version 12.0.0 and TIBCO Spotfire Server: version 12.0.0. | |||||
| CVE-2025-29446 | 1 Openwebui | 1 Open Webui | 2025-05-28 | N/A | 3.3 LOW |
| open-webui v0.5.16 is vulnerable to SSRF in routers/ollama.py in function verify_connection. | |||||
| CVE-2025-48383 | 2025-05-28 | N/A | 8.2 HIGH | ||
| Django-Select2 is a Django integration for Select2. Prior to version 8.4.1, instances of HeavySelect2Mixin subclasses like the ModelSelect2MultipleWidget and ModelSelect2Widget can leak secret access tokens across requests. This can allow users to access restricted query sets and restricted data. This issue has been patched in version 8.4.1. | |||||
| CVE-2025-5140 | 2025-05-28 | 6.5 MEDIUM | 6.3 MEDIUM | ||
| A vulnerability classified as critical has been found in Seeyon Zhiyuan OA Web Application System up to 8.1 SP2. This affects the function this.oursNetService.getData of the file com\ours\www\ehr\openPlatform1\open4ClientType\controller\ThirdMenuController.class. The manipulation of the argument url leads to server-side request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-48739 | 2025-05-28 | N/A | N/A | ||
| A Server-Side Request Forgery (SSRF) vulnerability in StrangeBee TheHive 5.2.0 before 5.2.16, 5.3.0 before 5.3.11, 5.4.0 before 5.4.10, and 5.5.0 before 5.5.1 allows remote authenticated attackers with admin permissions (allowing them to access specific API endpoints) to manipulate URLs to direct requests to unexpected hosts or ports. This allows the attacker to use a TheHive server as a proxy to reach internal or otherwise restricted resources. This could be exploited to access other servers on the internal network. | |||||