目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1325

100%
请我们喝杯咖啡

CWE-918 服务端请求伪造(SSRF) 类漏洞列表 1709

CWE-918 服务端请求伪造(SSRF) 类弱点 1709 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-918 服务端请求伪造(SSRF)是一种允许攻击者诱导服务器发起恶意请求的漏洞。当服务器接收外部提供的 URL 并据此获取内容时,若未严格校验目标地址,攻击者可构造请求访问内网资源或探测内部服务,从而绕过防火墙限制。开发者应实施严格的白名单机制,限制协议类型,禁用重定向,并对所有输入进行深度验证,确保请求仅能访问预期的合法外部资源,从而有效防御此类攻击。

MITRE CWE 官方描述
CWE:CWE-918 Server-Side Request Forgery (SSRF) 英文:Web 服务器从上游组件接收 URL 或类似请求,并检索该 URL 的内容,但未充分确保该请求被发送至预期的目的地。
常见影响 (3)
ConfidentialityRead Application Data
IntegrityExecute Unauthorized Code or Commands
Access ControlBypass Protection Mechanism
By providing URLs to unexpected hosts or ports, attackers can make it appear that the server is sending the request, possibly bypassing access controls such as firewalls that prevent the attackers from accessing the URLs directly. The server can be used as a proxy to conduct port scanning of hosts i…
代码示例 (1)
This code intends to receive a URL from a user, access the URL, and return the results to the user.
$url = $_GET['url']; # User-controlled input # Fetch the content of the provided URL $response = file_get_contents($url); echo $response;
Bad · PHP
# Define allowed URLs (or domains) $allowed_urls = [ 'https://example.com/data.json', 'https://api.example.com/info', ]; # Get the user-provided URL $url = $_GET['url'] ?? ''; # Validate against allowed URLs if (!in_array($url, $allowed_urls)) { http_response_code(400); echo "Invalid or unauthorized URL."; exit; } # Fetch content safely $response = @file_get_contents($url); if ($response === false) { http_response_code(500); echo "Failed to fetch content."; exit; } echo htmlspecialchars($response); # Escape output for safety
Good · PHP
CVE ID标题CVSS风险等级Published
CVE-2026-49345 Mercator CVE 配置存在服务器端请求伪造漏洞 — mercator--2026-06-19
CVE-2026-12726 AWX自动化控制器github webhook二次SSRF漏洞 — Red Hat Ansible Automation Platform 2 6.3 Medium2026-06-19
CVE-2026-49359 PhpWeasyPrint 附件选项导致SSRF和本地文件泄露漏洞 — php-weasyprint 6.5 Medium2026-06-19
CVE-2026-11989 Bit Integrations <=2.8.7 未认证SSRF漏洞 — Bit integrations – Form Integration, Webhook, Spreadsheets, CRM, LMS & Email Automation 6.5 Medium2026-06-19
CVE-2026-4328 WordPress Advanced Import <= 1.4.6 服务端请求伪造漏洞 — Advanced Import 6.4 Medium2026-06-19
CVE-2026-11395 CF7 to Webhook <= 5.0.0 未认证服务器端请求伪造漏洞 — CF7 to Webhook 7.2 High2026-06-18
CVE-2026-48764 baptisteArno typebot.io 服务端请求伪造漏洞 — typebot.io 8.2 High2026-06-17
CVE-2026-12566 Black Lantern Security BBOT 服务端请求伪造漏洞 — BBOT 3.1 Low2026-06-17
CVE-2026-48818 Kludex starlette 服务端请求伪造漏洞 — starlette 7.5 High2026-06-17
CVE-2026-48782 pydantic-ai SSRF绕过漏洞(CVE-2026-46678修复不完整) — pydantic-ai 6.8 Medium2026-06-16
CVE-2026-47684 Sync-in Server SSRF防护绕过漏洞 — server 7.7 High2026-06-16
CVE-2025-60175 vynnus PopAd 服务端请求伪造漏洞 — PopAd 4.4 Medium2026-06-15
CVE-2026-12210 universal-tool-calling-protocol python-utcp 服务端请求伪造漏洞 — python-utcp 6.3 Medium2026-06-15
CVE-2026-53827 OpenClaw 服务端请求伪造漏洞 — OpenClaw 6.5 Medium2026-06-12
CVE-2026-47268 nezhahq nezha 服务端请求伪造漏洞 — nezha 6.4 Medium2026-06-12
CVE-2026-53607 ApostropheCMS 服务端请求伪造漏洞 — apostrophe 3.7 Low2026-06-12
CVE-2026-45012 ApostropheCMS apostrophe 服务端请求伪造漏洞 — apostrophe 7.6 High2026-06-12
CVE-2026-50552 Koel 服务端请求伪造漏洞 — koel 6.3 Medium2026-06-12
CVE-2026-47260 Koel 服务端请求伪造漏洞 — koel 7.7 High2026-06-12
CVE-2026-53812 OpenClaw 代码问题漏洞 — OpenClaw 7.7 High2026-06-11
CVE-2026-53782 Summarize 代码问题漏洞 — summarize 7.4 High2026-06-11
CVE-2026-47170 Garlic-Hub 代码问题漏洞 — garlic-hub 7.7 High2026-06-11
CVE-2026-47157 aiograpi 代码问题漏洞 — aiograpi 6.5 Medium2026-06-11
CVE-2026-46697 WordPress plugin Fediverse Embeds 代码问题漏洞 — fediverse-embeds-wordpress-plugin 7.5 High2026-06-11
CVE-2026-46698 WordPress plugin Fediverse Embeds 代码问题漏洞 — fediverse-embeds-wordpress-plugin 5.3 Medium2026-06-11
CVE-2026-44492 Axios 代码问题漏洞 — axios 8.6 High2026-06-11
CVE-2026-3341 IBM Langflow Desktop 代码问题漏洞 — Langflow Desktop 5.4 Medium2026-06-11
CVE-2026-9204 GitLab Enterprise Edition(EE)和GitLab Community Edition(CE) 代码问题漏洞 — GitLab 5.3 Medium2026-06-11
CVE-2026-40999 VMware Spring Web Services 代码问题漏洞 — Spring Web Services 8.6 High2026-06-11
CVE-2026-50131 Fedify 代码问题漏洞 — fedify 8.6 High2026-06-10

CWE-918(服务端请求伪造(SSRF)) 是常见的弱点类别,本平台收录该类弱点关联的 1709 条 CVE 漏洞。