Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-918 (服务端请求伪造(SSRF)) — Vulnerability Class 1540

1540 vulnerabilities classified as CWE-918 (服务端请求伪造(SSRF)). AI Chinese analysis included.

CWE-918, Server-Side Request Forgery, is a critical web security weakness where an application allows users to specify URLs that the server subsequently fetches without adequate validation. Attackers typically exploit this by manipulating input parameters to force the server to access internal resources, such as cloud metadata services or local network endpoints, which are otherwise inaccessible from the outside. This bypasses perimeter defenses, potentially leading to sensitive data exposure or internal network reconnaissance. To mitigate SSRF, developers must implement strict input validation, ensuring that only whitelisted domains and protocols are permitted. Additionally, employing network-level controls like firewalls to restrict outbound connections from the application server and isolating internal services from public-facing interfaces significantly reduces the attack surface, preventing unauthorized internal access.

MITRE CWE Description
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Common Consequences (3)
ConfidentialityRead Application Data
IntegrityExecute Unauthorized Code or Commands
Access ControlBypass Protection Mechanism
By providing URLs to unexpected hosts or ports, attackers can make it appear that the server is sending the request, possibly bypassing access controls such as firewalls that prevent the attackers from accessing the URLs directly. The server can be used as a proxy to conduct port scanning of hosts i…
Examples (1)
This code intends to receive a URL from a user, access the URL, and return the results to the user.
$url = $_GET['url']; # User-controlled input # Fetch the content of the provided URL $response = file_get_contents($url); echo $response;
Bad · PHP
# Define allowed URLs (or domains) $allowed_urls = [ 'https://example.com/data.json', 'https://api.example.com/info', ]; # Get the user-provided URL $url = $_GET['url'] ?? ''; # Validate against allowed URLs if (!in_array($url, $allowed_urls)) { http_response_code(400); echo "Invalid or unauthorized URL."; exit; } # Fetch content safely $response = @file_get_contents($url); if ($response === false) { http_response_code(500); echo "Failed to fetch content."; exit; } echo htmlspecialchars($response); # Escape output for safety
Good · PHP
CVE IDTitleCVSSSeverityPublished
CVE-2026-3788 Bytedesk SpringAIOpenrouterRestController SpringAIOpenrouterRestService.java getModels server-side request forgery — Bytedesk 6.3 Medium2026-03-08
CVE-2026-3750 ContiNew Admin Storage Management S3ClientFactory.java URI.create server-side request forgery — ContiNew Admin 4.7 Medium2026-03-08
CVE-2026-3733 xuxueli xxl-job JobInfoController.java server-side request forgery — xxl-job 6.3 Medium2026-03-08
CVE-2026-3683 bufanyun HotGo Endpoint upload.go ImageTransferStorage server-side request forgery — HotGo 6.3 Medium2026-03-07
CVE-2026-3681 welovemedia FFmate webhook.go fireWebhook server-side request forgery — FFmate 6.3 Medium2026-03-07
CVE-2026-30858 WeKnora: DNS Rebinding Vulnerability in web_fetch Tool Allows SSRF to Internal Resources — WeKnora 6.5 Medium2026-03-07
CVE-2026-30832 Soft Serve: SSRF via unvalidated LFS endpoint in repo import — soft-serve 9.1 Critical2026-03-07
CVE-2026-30834 PinchTab: SSRF with Full Response Exfiltration via Download Handler — pinchtab 7.5 High2026-03-07
CVE-2026-27797 Homarr: Unauthenticated SSRF in rssFeed.ts — homarr 5.3 Medium2026-03-07
CVE-2026-30840 Wallos: Server-Side Request Forgery (SSRF) in Notification Testers — Wallos 9.8 -2026-03-07
CVE-2026-30839 Wallos: SSRF via webhook test endpoint — Wallos 6.5 -2026-03-07
CVE-2026-30247 WeKnora: SSRF via Redirection — WeKnora 5.9 Medium2026-03-07
CVE-2026-30242 Plane: SSRF via Incomplete IP Validation in Webhook URL Serializer — plane 8.5 High2026-03-06
CVE-2026-30844 Wekan Vulnerable to SSRF through Lack of Validation or Filtering in Attachment URL Loading — Wekan 9.1 -2026-03-06
CVE-2026-29178 Lemmy: Unauthenticated SSRF via file_type query parameter injection in image endpoint — lemmy 7.5 -2026-03-06
CVE-2026-28680 Ghostfolio: Full-Read SSRF in Manual Asset Import — ghostfolio 9.3 Critical2026-03-06
CVE-2026-28677 OpenSift: Insufficient URL destination restrictions in ingest flow could enable SSRF-style internal access — OpenSift 8.2 High2026-03-06
CVE-2026-28508 Idno: Unauthenticated SSRF via URL Unfurl Endpoint — idno 6.5 -2026-03-06
CVE-2026-28476 OpenClaw < 2026.2.14 - Server-Side Request Forgery in Tlon Extension Authentication — OpenClaw 8.3 High2026-03-05
CVE-2026-28467 OpenClaw < 2026.2.2 - SSRF via Attachment Media URL Hydration — OpenClaw 6.5 Medium2026-03-05
CVE-2026-27023 Twenty: SSRF protection bypass via HTTP redirect following in secure HTTP client — twenty 5.0 Medium2026-03-05
CVE-2026-28036 WordPress Ratatouille theme <= 1.2.6 - Server Side Request Forgery (SSRF) vulnerability — Ratatouille 6.4 Medium2026-03-05
CVE-2026-3125 SSRF vulnerability in opennextjs-cloudflare via /cdn-cgi/ path normalization bypass — @opennextjs/cloudflare 9.1AICriticalAI2026-03-04
CVE-2026-1273 PostX <= 5.0.8 - Authenticated (Administrator+) Server-Side Request Forgery via REST API Endpoints — Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostX 7.2 High2026-03-04
CVE-2026-27600 HomeBox affected by Blind SSRF — homebox 5.0 Medium2026-03-03
CVE-2025-64427 ZimaOS is vulnerable to Server-Side Request Forgery (SSRF) — ZimaOS 7.1 High2026-03-02
CVE-2025-50199 Chamilo: Blind Server-Side Request Forgery (Unauth Blind SSRF) — chamilo-lms 9.1AICriticalAI2026-03-02
CVE-2024-50337 Chamilo: Potential unauthenticated blind SSRF via openid function — chamilo-lms 5.3 Medium2026-03-02
CVE-2026-27759 Featured Image from Content < 1.7 Authenticated SSRF via save_post — Featured Image from Content 8.1 -2026-02-27
CVE-2026-28423 Statamic Vulnerable to Server-Side Request Forgery via Glide — cms 6.8 Medium2026-02-27

Vulnerabilities classified as CWE-918 (服务端请求伪造(SSRF)) represent 1540 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.