Total
2645 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-51980 | 2026-06-17 | N/A | 5.3 MEDIUM | ||
| An unauthenticated attacker may perform a limited server side request forgery (SSRF), forcing the target device to open a TCP connection to an arbitrary port number on an arbitrary IP address. This SSRF leverages the WS-Addressing ReplyTo element in a Web service (HTTP TCP port 80) SOAP request. The attacker can not control the data sent in the SSRF connection, nor can the attacker receive any data back. This SSRF is suitable for TCP port scanning of an internal network when the Web service (HTTP TCP port 80) is exposed across a network segment. | |||||
| CVE-2024-51785 | 2026-06-17 | N/A | 4.4 MEDIUM | ||
| Server-Side Request Forgery (SSRF) vulnerability in Nks Responsive Filterable Portfolio responsive-filterable-portfolio allows Server Side Request Forgery.This issue affects Responsive Filterable Portfolio: from n/a through <= 1.0.22. | |||||
| CVE-2024-51740 | 1 Combodo | 1 Itop | 2026-06-17 | N/A | 4.3 MEDIUM |
| Combodo iTop is a simple, web based IT Service Management tool. This vulnerability can be used to create HTTP requests on behalf of the server, from a low privileged user. The user portal form manager has been fixed to only instantiate classes derived from it. This issue has been addressed in versions 2.7.11, 3.0.5, 3.1.2, and 3.2.0. Users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2024-51665 | 1 Wpthemespace | 1 Magical Addons For Elementor | 2026-06-17 | N/A | 4.9 MEDIUM |
| Server-Side Request Forgery (SSRF) vulnerability in Noor Alam Magical Addons For Elementor magical-addons-for-elementor allows Server Side Request Forgery.This issue affects Magical Addons For Elementor: from n/a through <= 1.2.1. | |||||
| CVE-2024-51463 | 1 Ibm | 1 I | 2026-06-17 | N/A | 5.4 MEDIUM |
| IBM i 7.3, 7.4, and 7.5 is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. | |||||
| CVE-2024-51408 | 1 Appsmith | 1 Appsmith | 2026-06-17 | N/A | 8.5 HIGH |
| AppSmith Community 1.8.3 before 1.46 allows SSRF via New DataSource for application/json requests to 169.254.169.254 to retrieve AWS metadata credentials. | |||||
| CVE-2024-51358 | 2026-06-17 | N/A | 9.8 CRITICAL | ||
| An issue in Linux Server Heimdall v.2.6.1 allows a remote attacker to execute arbitrary code via a crafted script to the Add new application. | |||||
| CVE-2024-51242 | 1 Eladmin | 1 Eladmin | 2026-06-17 | N/A | 6.5 MEDIUM |
| A Server-Side Request Forgery (SSRF) vulnerability has been identified in eladmin 2.7 and earlier in ServerDeployController.java. The manipulation of the HTTP Body ip parameter leads to SSRF. | |||||
| CVE-2024-50811 | 2026-06-17 | N/A | 9.1 CRITICAL | ||
| hopetree izone lts c011b48 contains a server-side request forgery (SSRF) vulnerability in the active push function as \\apps\\tool\\apis\\bd_push.py does not securely filter user input through push_urls() and get_urls(). | |||||
| CVE-2024-50714 | 2026-06-17 | N/A | 7.5 HIGH | ||
| A Server-Side Request Forgery (SSRF) in smarts-srl.com Smart Agent v.1.1.0 allows a remote attacker to obtain sensitive information via a crafted script to the /FB/getFbVideoSource.php component. | |||||
| CVE-2024-50337 | 1 Chamilo | 1 Chamilo Lms | 2026-06-17 | N/A | 5.3 MEDIUM |
| Chamilo is a learning management system. Prior to version 1.11.28, the OpenId function allows anyone to send requests to any URL on server's behalf, which results in unauthenticated blind SSRF. This issue has been patched in version 1.11.28. | |||||
| CVE-2024-4894 | 2026-06-17 | N/A | 5.3 MEDIUM | ||
| ITPison OMICARD EDM fails to properly filter specific URL parameter, allowing unauthenticated remote attackers to modify the parameters and conduct Server-Side Request Forgery (SSRF) attacks. This vulnerability enables attackers to probe internal network information. | |||||
| CVE-2024-4851 | 1 Quivr | 1 Quivr | 2026-06-17 | N/A | 7.7 HIGH |
| A Server-Side Request Forgery (SSRF) vulnerability exists in the stangirard/quivr application, version 0.0.204, which allows attackers to access internal networks. The vulnerability is present in the crawl endpoint where the 'url' parameter can be manipulated to send HTTP requests to arbitrary URLs, thereby facilitating SSRF attacks. The affected code is located in the backend/routes/crawl_routes.py file, specifically within the crawl_endpoint function. This issue could allow attackers to interact with internal services that are accessible from the server hosting the application. | |||||
| CVE-2024-4789 | 2026-06-17 | N/A | 6.4 MEDIUM | ||
| Cost Calculator Builder Pro plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to 3.1.72, via the send_demo_webhook() function. This makes it possible for authenticated attackers, with subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. | |||||
| CVE-2024-4562 | 1 Progress | 1 Whatsup Gold | 2026-06-17 | N/A | 5.4 MEDIUM |
| In WhatsUp Gold versions released before 2023.1.2 , an SSRF vulnerability exists in Whatsup Gold's Issue exists in the HTTP Monitoring functionality. Due to the lack of proper authorization, any authenticated user can access the HTTP monitoring functionality, what leads to the Server Side Request Forgery. | |||||
| CVE-2024-4561 | 1 Progress | 1 Whatsup Gold | 2026-06-17 | N/A | 4.2 MEDIUM |
| In WhatsUp Gold versions released before 2023.1.2 , a blind SSRF vulnerability exists in Whatsup Gold's FaviconController that allows an attacker to send arbitrary HTTP requests on behalf of the vulnerable server. | |||||
| CVE-2024-4469 | 1 Wp-staging | 1 Wp Staging | 2026-06-17 | N/A | 7.5 HIGH |
| The WP STAGING WordPress Backup Plugin WordPress plugin before 3.5.0 does not prevent users with the administrator role from pinging conducting SSRF attacks, which may be a problem in multisite configurations. | |||||
| CVE-2024-4404 | 1 Wpmet | 1 Elementskit | 2026-06-17 | N/A | 8.5 HIGH |
| The ElementsKit PRO plugin for WordPress is vulnerable to Server-Side Request Forgery in versions up to, and including, 3.6.2 via the 'render_raw' function. This can allow authenticated attackers, with contributor-level permissions and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. | |||||
| CVE-2024-4399 | 1 Apereo | 1 Central Authentication Service | 2026-06-17 | N/A | 9.1 CRITICAL |
| The does not validate a parameter before making a request to it, which could allow unauthenticated users to perform SSRF attack | |||||
| CVE-2024-4354 | 1 Tablepress | 1 Tablepress | 2026-06-17 | N/A | 6.4 MEDIUM |
| The TablePress – Tables in WordPress made easy plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.3 via the get_files_to_import() function. This makes it possible for authenticated attackers, with author-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. Due to the complex nature of protecting against DNS rebind attacks in WordPress software, we settled on the developer simply restricting the usage of the URL import functionality to just administrators. While this is not optimal, we feel this poses a minimal risk to most site owners and ideally WordPress core would correct this issue in wp_safe_remote_get() and other functions. | |||||