Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-918 (服务端请求伪造(SSRF)) — Vulnerability Class 1539

1539 vulnerabilities classified as CWE-918 (服务端请求伪造(SSRF)). AI Chinese analysis included.

CWE-918, Server-Side Request Forgery, is a critical web security weakness where an application allows users to specify URLs that the server subsequently fetches without adequate validation. Attackers typically exploit this by manipulating input parameters to force the server to access internal resources, such as cloud metadata services or local network endpoints, which are otherwise inaccessible from the outside. This bypasses perimeter defenses, potentially leading to sensitive data exposure or internal network reconnaissance. To mitigate SSRF, developers must implement strict input validation, ensuring that only whitelisted domains and protocols are permitted. Additionally, employing network-level controls like firewalls to restrict outbound connections from the application server and isolating internal services from public-facing interfaces significantly reduces the attack surface, preventing unauthorized internal access.

MITRE CWE Description
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Common Consequences (3)
ConfidentialityRead Application Data
IntegrityExecute Unauthorized Code or Commands
Access ControlBypass Protection Mechanism
By providing URLs to unexpected hosts or ports, attackers can make it appear that the server is sending the request, possibly bypassing access controls such as firewalls that prevent the attackers from accessing the URLs directly. The server can be used as a proxy to conduct port scanning of hosts i…
Examples (1)
This code intends to receive a URL from a user, access the URL, and return the results to the user.
$url = $_GET['url']; # User-controlled input # Fetch the content of the provided URL $response = file_get_contents($url); echo $response;
Bad · PHP
# Define allowed URLs (or domains) $allowed_urls = [ 'https://example.com/data.json', 'https://api.example.com/info', ]; # Get the user-provided URL $url = $_GET['url'] ?? ''; # Validate against allowed URLs if (!in_array($url, $allowed_urls)) { http_response_code(400); echo "Invalid or unauthorized URL."; exit; } # Fetch content safely $response = @file_get_contents($url); if ($response === false) { http_response_code(500); echo "Failed to fetch content."; exit; } echo htmlspecialchars($response); # Escape output for safety
Good · PHP
CVE IDTitleCVSSSeverityPublished
CVE-2026-7065 BidingCC BuildingAI Remote Upload API file-storage.service.ts uploadRemoteFile server-side request forgery — BuildingAI 7.3 High2026-04-26
CVE-2026-7025 Typecho Ping Back Service Endpoint Service.php sendPingHandle server-side request forgery — Typecho 7.3 High2026-04-26
CVE-2026-6983 pagekit download server-side request forgery — pagekit 4.7 Medium2026-04-25
CVE-2026-6981 IhateCreatingUserNames2 AiraHub2 Endpoint AiraHub.py sync_agents server-side request forgery — AiraHub2 6.3 Medium2026-04-25
CVE-2026-6979 devlikeapro WAHA API Request media.controller.ts server-side request forgery — WAHA 6.3 Medium2026-04-25
CVE-2026-41488 angchain-openai: Image token counting SSRF protection can be bypassed via DNS rebinding — langchain-openai 3.1 Low2026-04-24
CVE-2026-41481 LangChain: HTMLHeaderTextSplitter.split_text_from_url SSRF Redirect Bypass — langchain-text-splitters 6.5 Medium2026-04-24
CVE-2026-42038 Axios: no_proxy bypass via IP alias allows SSRF — axios 6.8 Medium2026-04-24
CVE-2026-41321 @astrojs/cloudflare: SSRF via redirect following in Cloudflare image-binding-transform endpoint — @astrojs/cloudflare 2.2 Low2026-04-24
CVE-2026-31955 Xibo CMS has Authenticated Server-Side Request Forgery (SSRF) in Remote DataSet Functionality — xibo-cms 4.9 Medium2026-04-24
CVE-2026-35431 Microsoft Entra ID Entitlement Management Spoofing Vulnerability — Microsoft Entra 10.0 Critical2026-04-23
CVE-2026-26150 Microsoft Purview eDiscovery Elevation of Privilege Vulnerability — Microsoft Purview eDiscovery 8.6 High2026-04-23
CVE-2026-32210 Microsoft Dynamics 365 (online) Spoofing Vulnerability — Microsoft Dynamics 365 (online) 9.3 Critical2026-04-23
CVE-2026-41271 Flowise: APIChain Prompt Injection SSRF in GET/POST API Chains — Flowise 8.6AIHighAI2026-04-23
CVE-2026-41272 Flowise: SSRF Protection Bypass (TOCTOU & Default Insecure) — Flowise 7.1 High2026-04-23
CVE-2026-41461 SocialEngine <= 7.8.0 Blind SSRF via /core/link/preview — SocialEngine 8.5 High2026-04-23
CVE-2026-41172 Squidex vulnerable to Server-Side Request Forgery (SSRF) via URL-based asset upload (/api/apps/{app}/assets) — squidex 4.3AIMediumAI2026-04-22
CVE-2026-41171 SSRF via Jint Scripting Engine HTTP Functions Due to Missing SSRF Protection on "Jint" HttpClient — squidex 8.1AIHighAI2026-04-22
CVE-2026-41170 Squidex has SSRF via Backup Restore Endpoint — Admin-Controlled URL Download Allows Internal and External Requests — squidex 6.8AIMediumAI2026-04-22
CVE-2026-41455 WeKan < 8.35 SSRF via Webhook URL — wekan 8.5 High2026-04-22
CVE-2026-41130 Craft CMS has a host header injection leading to SSRF via resource-js endpoint — cms 10.0AICriticalAI2026-04-21
CVE-2026-41129 Craft CMS has Server-Side Request Forgery (SSRF) with Asset Uploads Mutations — cms 8.3AIHighAI2026-04-21
CVE-2026-41060 AVideo's SSRF via same-domain hostname with alternate port bypasses isSSRFSafeURL — AVideo 7.7 High2026-04-21
CVE-2026-41055 AVideo has an incomplete fix for CVE-2026-33039 (SSRF) — AVideo 8.6 High2026-04-21
CVE-2026-5921 Server-Side Request Forgery in GitHub Enterprise Server allowed extraction of sensitive environment variables via timing side-channel attack — Enterprise Server 7.5AIHighAI2026-04-21
CVE-2026-6744 Bagisto Downloadable Link copy server-side request forgery — Bagisto 6.3 Medium2026-04-21
CVE-2026-40566 FreeScout vulnerable to SSRF via IMAP/SMTP Connection Test Endpoints — freescout 4.1 Medium2026-04-21
CVE-2026-35587 Glances IP Plugin has SSRF via public_api that leads to credential leakage — glances 9.8AICriticalAI2026-04-20
CVE-2026-41302 OpenClaw < 2026.3.31 - Server-Side Request Forgery via Unguarded fetch() in Marketplace Plugin Download — OpenClaw 7.6 High2026-04-20
CVE-2026-41297 OpenClaw < 2026.3.31 - Server-Side Request Forgery via Marketplace Plugin Download Redirect — OpenClaw 7.6 High2026-04-20

Vulnerabilities classified as CWE-918 (服务端请求伪造(SSRF)) represent 1539 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.