Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1325 CNY

100%
Buy Us a Coffee

CWE-918 (服务端请求伪造(SSRF)) — Vulnerability Class 1709

1709 vulnerabilities classified as CWE-918 (服务端请求伪造(SSRF)). AI Chinese analysis included.

CWE-918, Server-Side Request Forgery, is a critical web security weakness where an application allows users to specify URLs that the server subsequently fetches without adequate validation. Attackers typically exploit this by manipulating input parameters to force the server to access internal resources, such as cloud metadata services or local network endpoints, which are otherwise inaccessible from the outside. This bypasses perimeter defenses, potentially leading to sensitive data exposure or internal network reconnaissance. To mitigate SSRF, developers must implement strict input validation, ensuring that only whitelisted domains and protocols are permitted. Additionally, employing network-level controls like firewalls to restrict outbound connections from the application server and isolating internal services from public-facing interfaces significantly reduces the attack surface, preventing unauthorized internal access.

MITRE CWE Description
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Common Consequences (3)
ConfidentialityRead Application Data
IntegrityExecute Unauthorized Code or Commands
Access ControlBypass Protection Mechanism
By providing URLs to unexpected hosts or ports, attackers can make it appear that the server is sending the request, possibly bypassing access controls such as firewalls that prevent the attackers from accessing the URLs directly. The server can be used as a proxy to conduct port scanning of hosts i…
Examples (1)
This code intends to receive a URL from a user, access the URL, and return the results to the user.
$url = $_GET['url']; # User-controlled input # Fetch the content of the provided URL $response = file_get_contents($url); echo $response;
Bad · PHP
# Define allowed URLs (or domains) $allowed_urls = [ 'https://example.com/data.json', 'https://api.example.com/info', ]; # Get the user-provided URL $url = $_GET['url'] ?? ''; # Validate against allowed URLs if (!in_array($url, $allowed_urls)) { http_response_code(400); echo "Invalid or unauthorized URL."; exit; } # Fetch content safely $response = @file_get_contents($url); if ($response === false) { http_response_code(500); echo "Failed to fetch content."; exit; } echo htmlspecialchars($response); # Escape output for safety
Good · PHP
CVE IDTitleCVSSSeverityPublished
CVE-2026-49345 Mercator CVE Configuration Vulnerable to Server-Side Request Forgery (SSRF) — mercator--2026-06-19
CVE-2026-12726 Awx: automation-controller: awx: github webhook second-order ssrf via unvalidated statuses_url exfiltrates pat credential — Red Hat Ansible Automation Platform 2 6.3 Medium2026-06-19
CVE-2026-49359 PhpWeasyPrint vulnerable to SSRF and local file disclosure via the attachment option — php-weasyprint 6.5 Medium2026-06-19
CVE-2026-11989 Bit integrations <= 2.8.7 - Unauthenticated Server-Side Request Forgery via Form Field Upload Mapping — Bit integrations – Form Integration, Webhook, Spreadsheets, CRM, LMS & Email Automation 6.5 Medium2026-06-19
CVE-2026-4328 Advanced Import: One-Click Demo Import for WordPress <= 1.4.6 - Authenticated (Author+) Server-Side Request Forgery via 'demo_file' Parameter — Advanced Import 6.4 Medium2026-06-19
CVE-2026-11395 CF7 to Webhook <= 5.0.0 - Unauthenticated Server-Side Request Forgery via CF7 Field Placeholder in Webhook URL Host — CF7 to Webhook 7.2 High2026-06-18
CVE-2026-48764 TypeBot has SSRF in HTTP request and script fetch flows via DNS rebinding bypass — typebot.io 8.2 High2026-06-17
CVE-2026-12566 SSRF via unvalidated WWW-Authenticate realm in docker_pull module — BBOT 3.1 Low2026-06-17
CVE-2026-48818 Starlette: SSRF and NTLM credential theft via UNC paths in StaticFiles on Windows — starlette 7.5 High2026-06-17
CVE-2026-48782 pydantic-ai: SSRF blocklist bypass via IPv4-compatible, SIIT/IVI, and local NAT64 IPv6 addresses (incomplete fix of CVE-2026-46678) — pydantic-ai 6.8 Medium2026-06-16
CVE-2026-47684 Sync-in Server: SSRF protection bypass via IPv4-mapped IPv6 addresses in regExpPrivateIP — server 7.7 High2026-06-16
CVE-2025-60175 WordPress PopAd Plugin <= 1.0.4 - Server Side Request Forgery (SSRF) Vulnerability — PopAd 4.4 Medium2026-06-15
CVE-2026-12210 universal-tool-calling-protocol python-utcp utcp-gql/utcp-websocket server-side request forgery — python-utcp 6.3 Medium2026-06-15
CVE-2026-53827 OpenClaw < 2026.5.2 - Credential Exposure via Model-Supplied Loopback URLs in message.action Forwarding — OpenClaw 6.5 Medium2026-06-12
CVE-2026-47268 Nezha Monitoring: Authenticated DDNS webhook configuration allows blind SSRF from the dashboard host — nezha 6.4 Medium2026-06-12
CVE-2026-53607 @apostrophecms/file pretty-URL Vulnerable to Unauthenticated SSRF via Host header — apostrophe 3.7 Low2026-06-12
CVE-2026-45012 Apostrophe has authenticated SSRF in rich-text widget import via @apostrophecms/area/validate-widget — apostrophe 7.6 High2026-06-12
CVE-2026-50552 Koel: Server-Side Request Forgery (SSRF) in radio station creation due to missing validation bail — koel 6.3 Medium2026-06-12
CVE-2026-47260 Koel Vulnerable to SSRF via Podcast Episode Enclosure URLs — koel 7.7 High2026-06-12
CVE-2026-53812 OpenClaw < 2026.5.18 - Private-Network Navigation Bypass via Browser Act Interactions — OpenClaw 7.7 High2026-06-11
CVE-2026-53782 Summarize < 0.17.0 SSRF via podcast:transcript URL fetch — summarize 7.4 High2026-06-11
CVE-2026-47170 Garlic-Hub: SSRF vulnerability in uploadFromUrl endpoint — garlic-hub 7.7 High2026-06-11
CVE-2026-47157 aiograpi: Unsafe signup challenge path handling — aiograpi 6.5 Medium2026-06-11
CVE-2026-46697 Fediverse Embeds: Unauthenticated SSRF / open proxy via REST media-proxy endpoint — fediverse-embeds-wordpress-plugin 7.5 High2026-06-11
CVE-2026-46698 Fediverse Embeds: Public-nonce SSRF via ftf_get_site_info AJAX action — fediverse-embeds-wordpress-plugin 5.3 Medium2026-06-11
CVE-2026-44492 Axios: shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718) — axios 8.6 High2026-06-11
CVE-2026-3341 IBM Langflow Desktop 1.0.0 - 1.9.2 DNS Rebinding Bypasses SSRF Protection Allowing Access to Internal Services — Langflow Desktop 5.4 Medium2026-06-11
CVE-2026-9204 Server-Side Request Forgery (SSRF) in GitLab — GitLab 5.3 Medium2026-06-11
CVE-2026-40999 Spring WS SSRF via unvalidated WS-Addressing reply destinations — Spring Web Services 8.6 High2026-06-11
CVE-2026-50131 Fedify has an incomplete SSRF mitigation after GHSA-p9cg-vqcc-grcx: validatePublicUrl allows special-use IPv4 ranges — fedify 8.6 High2026-06-10

Vulnerabilities classified as CWE-918 (服务端请求伪造(SSRF)) represent 1709 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.