Total
2721 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-36675 | 1 Lylme | 1 Lylme Spage | 2026-06-17 | N/A | 9.1 CRITICAL |
| LyLme_spage v1.9.5 is vulnerable to Server-Side Request Forgery (SSRF) via the get_head function. | |||||
| CVE-2024-36471 | 1 Apache | 1 Allura | 2026-06-17 | N/A | 7.5 HIGH |
| Import functionality is vulnerable to DNS rebinding attacks between verification and processing of the URL. Project administrators can run these imports, which could cause Allura to read from internal services and expose them. This issue affects Apache Allura from 1.0.1 through 1.16.0. Users are recommended to upgrade to version 1.17.0, which fixes the issue. If you are unable to upgrade, set "disable_entry_points.allura.importers = forge-tracker, forge-discussion" in your .ini config file. | |||||
| CVE-2024-36458 | 2026-06-17 | N/A | N/A | ||
| The vulnerability allows a malicious low-privileged PAM user to perform server upgrade related actions. | |||||
| CVE-2024-36448 | 1 Apache | 1 Iotdb Workbench | 2026-06-17 | N/A | 7.3 HIGH |
| ** UNSUPPORTED WHEN ASSIGNED ** Server-Side Request Forgery (SSRF) vulnerability in Apache IoTDB Workbench. This issue affects Apache IoTDB Workbench: from 0.13.0. As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2024-36427 | 2026-06-17 | N/A | 8.1 HIGH | ||
| The file-serving function in TARGIT Decision Suite before 24.06.19002 (TARGIT Decision Suite 2024 – June) allows authenticated attackers to read or write to server files via a crafted file request. This can allow code execution via a .xview file. | |||||
| CVE-2024-36414 | 1 Salesagility | 1 Suitecrm | 2026-06-17 | N/A | 7.7 HIGH |
| SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a vulnerability in the connectors file verification allows for a server-side request forgery attack. Versions 7.14.4 and 8.6.1 contain a fix for this issue. | |||||
| CVE-2024-35637 | 1 Church Admin Project | 1 Church Admin | 2026-06-17 | N/A | 4.4 MEDIUM |
| Server-Side Request Forgery (SSRF) vulnerability in andy_moyle Church Admin church-admin.This issue affects Church Admin: from n/a through <= 4.3.6. | |||||
| CVE-2024-35635 | 1 Wpmanageninja | 1 Ninja Tables | 2026-06-17 | N/A | 4.4 MEDIUM |
| Server-Side Request Forgery (SSRF) vulnerability in WPManageNinja LLC Ninja Tables.This issue affects Ninja Tables: from n/a through 5.0.9. | |||||
| CVE-2024-35633 | 1 Creativethemes | 1 Blocksy Companion | 2026-06-17 | N/A | 4.4 MEDIUM |
| Server-Side Request Forgery (SSRF) vulnerability in Creative Themes Blocksy Companion blocksy-companion.This issue affects Blocksy Companion: from n/a through <= 2.0.42. | |||||
| CVE-2024-35451 | 1 Linkstack | 1 Linkstack | 2026-06-17 | N/A | 4.8 MEDIUM |
| LinkStack 2.7.9 through 4.7.7 allows resources\views\components\favicon.blade.php link SSRF. | |||||
| CVE-2024-35172 | 2026-06-17 | N/A | 4.4 MEDIUM | ||
| Server-Side Request Forgery (SSRF) vulnerability in ShortPixel ShortPixel Adaptive Images shortpixel-adaptive-images.This issue affects ShortPixel Adaptive Images: from n/a through <= 3.8.3. | |||||
| CVE-2024-34711 | 1 Osgeo | 1 Geoserver | 2026-06-17 | N/A | 9.3 CRITICAL |
| GeoServer is an open source server that allows users to share and edit geospatial data. An improper URI validation vulnerability exists that enables an unauthorized attacker to perform XML External Entities (XEE) attack, then send GET request to any HTTP server. By default, GeoServer use PreventLocalEntityResolver class from GeoTools to filter out malicious URIs in XML entities before resolving them. The URI must match the regex (?i)(jar:file|http|vfs)[^?#;]*\\.xsd. But the regex leaves a chance for attackers to request to any HTTP server or limited file. Attacker can abuse this to scan internal networks and gain information about them then exploit further. GeoServer 2.25.0 and greater default to the use of ENTITY_RESOLUTION_ALLOWLIST and does not require you to provide a system property. | |||||
| CVE-2024-34689 | 1 Sap | 2 Business Workflow, Sap Basis | 2026-06-17 | N/A | 5.0 MEDIUM |
| WebFlow Services of SAP Business Workflow allows an authenticated attacker to enumerate accessible HTTP endpoints in the internal network by specially crafting HTTP requests. On successful exploitation this can result in information disclosure. It has no impact on integrity and availability of the application. | |||||
| CVE-2024-34581 | 2026-06-17 | N/A | 7.3 HIGH | ||
| The W3C XML Signature Syntax and Processing (XMLDsig) specification, starting with 1.0, was originally published with a "RetrievalMethod is a URI ... that may be used to obtain key and/or certificate information" statement and no accompanying information about SSRF risks, and this may have contributed to vulnerable implementations such as those discussed in CVE-2023-36661 and CVE-2024-21893. NOTE: this was mitigated in 1.1 and 2.0 via a directly referenced Best Practices document that calls on implementers to be wary of SSRF. | |||||
| CVE-2024-34580 | 2026-06-17 | N/A | 5.3 MEDIUM | ||
| Apache XML Security for C++ through 2.0.4 implements the XML Signature Syntax and Processing (XMLDsig) specification without protection against an SSRF payload in a KeyInfo element. NOTE: the project disputes this CVE Record on the grounds that any vulnerabilities are the result of a failure to configure XML Security for C++ securely. Even when avoiding this particular issue, any use of this library would need considerable additional code and a deep understanding of the standards and protocols involved to arrive at a secure implementation for any particular use case. We recommend against continued direct use of this library. | |||||
| CVE-2024-34453 | 2026-06-17 | N/A | 4.3 MEDIUM | ||
| TwoNav 2.1.13 contains an SSRF vulnerability via the url paramater to index.php?c=api&method=read_data&type=connectivity_test (which reaches /system/api.php). | |||||
| CVE-2024-34361 | 1 Pi-hole | 1 Pi-hole | 2026-06-17 | N/A | 8.5 HIGH |
| Pi-hole is a DNS sinkhole that protects devices from unwanted content without installing any client-side software. A vulnerability in versions prior to 5.18.3 allows an authenticated user to make internal requests to the server via the `gravity_DownloadBlocklistFromUrl()` function. Depending on some circumstances, the vulnerability could lead to remote command execution. Version 5.18.3 contains a patch for this issue. | |||||
| CVE-2024-34351 | 1 Vercel | 1 Next.js | 2026-06-17 | N/A | 7.5 HIGH |
| Next.js is a React framework that can provide building blocks to create web applications. A Server-Side Request Forgery (SSRF) vulnerability was identified in Next.js Server Actions. If the `Host` header is modified, and the below conditions are also met, an attacker may be able to make requests that appear to be originating from the Next.js application server itself. The required conditions are 1) Next.js is running in a self-hosted manner; 2) the Next.js application makes use of Server Actions; and 3) the Server Action performs a redirect to a relative path which starts with a `/`. This vulnerability was fixed in Next.js `14.1.1`. | |||||
| CVE-2024-34111 | 1 Adobe | 3 Commerce, Commerce Webhooks, Magento | 2026-06-17 | N/A | 6.5 MEDIUM |
| Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by a Server-Side Request Forgery (SSRF) vulnerability that could lead to arbitrary file system read. A low-privilege authenticated attacker can force the application to make arbitrary requests via injection of arbitrary URLs. Exploitation of this issue does not require user interaction.. | |||||
| CVE-2024-34068 | 1 Pterodactyl | 1 Wings | 2026-06-17 | N/A | 6.4 MEDIUM |
| Pterodactyl wings is the server control plane for Pterodactyl Panel. An authenticated user who has access to a game server is able to bypass the previously implemented access control (GHSA-6rg3-8h8x-5xfv) that prevents accessing internal endpoints of the node hosting Wings in the pull endpoint. This would allow malicious users to potentially access resources on local networks that would otherwise be inaccessible. This issue has been addressed in version 1.11.2 and users are advised to upgrade. Users unable to upgrade may enable the `api.disable_remote_download` option as a workaround. | |||||