Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-918 (服务端请求伪造(SSRF)) — Vulnerability Class 1539

1539 vulnerabilities classified as CWE-918 (服务端请求伪造(SSRF)). AI Chinese analysis included.

CWE-918, Server-Side Request Forgery, is a critical web security weakness where an application allows users to specify URLs that the server subsequently fetches without adequate validation. Attackers typically exploit this by manipulating input parameters to force the server to access internal resources, such as cloud metadata services or local network endpoints, which are otherwise inaccessible from the outside. This bypasses perimeter defenses, potentially leading to sensitive data exposure or internal network reconnaissance. To mitigate SSRF, developers must implement strict input validation, ensuring that only whitelisted domains and protocols are permitted. Additionally, employing network-level controls like firewalls to restrict outbound connections from the application server and isolating internal services from public-facing interfaces significantly reduces the attack surface, preventing unauthorized internal access.

MITRE CWE Description
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Common Consequences (3)
ConfidentialityRead Application Data
IntegrityExecute Unauthorized Code or Commands
Access ControlBypass Protection Mechanism
By providing URLs to unexpected hosts or ports, attackers can make it appear that the server is sending the request, possibly bypassing access controls such as firewalls that prevent the attackers from accessing the URLs directly. The server can be used as a proxy to conduct port scanning of hosts i…
Examples (1)
This code intends to receive a URL from a user, access the URL, and return the results to the user.
$url = $_GET['url']; # User-controlled input # Fetch the content of the provided URL $response = file_get_contents($url); echo $response;
Bad · PHP
# Define allowed URLs (or domains) $allowed_urls = [ 'https://example.com/data.json', 'https://api.example.com/info', ]; # Get the user-provided URL $url = $_GET['url'] ?? ''; # Validate against allowed URLs if (!in_array($url, $allowed_urls)) { http_response_code(400); echo "Invalid or unauthorized URL."; exit; } # Fetch content safely $response = @file_get_contents($url); if ($response === false) { http_response_code(500); echo "Failed to fetch content."; exit; } echo htmlspecialchars($response); # Escape output for safety
Good · PHP
CVE IDTitleCVSSSeverityPublished
CVE-2026-33626 LMDeploy Vulnerable to Server-Side Request Forgery (SSRF) via Vision-Language Image Loading — lmdeploy 7.5 High2026-04-20
CVE-2026-25883 Vexa Webhook Feature has a SSRF Vulnerability — vexa 5.8 Medium2026-04-20
CVE-2026-34428 Vvveb < 1.0.8.1 SSRF via oEmbedProxy — Vvveb 7.7 High2026-04-20
CVE-2026-6649 Qibo CMS headers server-side request forgery — CMS 6.3 Medium2026-04-20
CVE-2026-6625 moxi624 Mogu Blog v2 Picture Storage Service LocalFileServiceImpl.java LocalFileServiceImpl.uploadPictureByUrl server-side request forgery — Mogu Blog v2 7.3 High2026-04-20
CVE-2026-6618 langgenius dify ApiBasedToolSchemaParser parser.py parse_openai_plugin_json_to_tool_bundle server-side request forgery — dify 6.3 Medium2026-04-20
CVE-2026-6617 langgenius dify ApiToolManageService api_tools_manage_service.py get_api_tool_provider_remote_schema server-side request forgery — dify 6.3 Medium2026-04-20
CVE-2026-6616 TransformerOptimus SuperAGI WebScraperTool webpage_extractor.py extract_with_lxml server-side request forgery — SuperAGI 6.3 Medium2026-04-20
CVE-2026-6606 modelscope agentscope _agent_base.py _process_audio_block server-side request forgery — agentscope 7.3 High2026-04-20
CVE-2026-6605 modelscope agentscope Internal Service _common.py _get_bytes_from_web_url server-side request forgery — agentscope 7.3 High2026-04-20
CVE-2026-6604 modelscope agentscope Cloud Metadata Endpoint _openai_tools.py openai_audio_to_text server-side request forgery — agentscope 7.3 High2026-04-20
CVE-2026-6587 vibrantlabsai RAGAS Collections util.py _try_process_url server-side request forgery — RAGAS 6.3 Medium2026-04-20
CVE-2026-6573 PHPEMS Instant Exam Creation exams.master.php temppage server-side request forgery — PHPEMS 6.3 Medium2026-04-19
CVE-2026-40348 Movary has Authenticated SSRF via Jellyfin Server URL Verification that Allows Internal Network Probing — movary 7.7 High2026-04-18
CVE-2026-40346 NocoBase has SSRF in Workflow HTTP Request and Custom Request Plugins — @nocobase/plugin-workflow-request 8.3AIHighAI2026-04-17
CVE-2026-40516 OpenHarness SSRF via web_fetch and web_search — OpenHarness 8.3 High2026-04-17
CVE-2026-6497 prasathmani TinyFileManager File Upload filemanager.php server-side request forgery — TinyFileManager 6.3 Medium2026-04-17
CVE-2026-5131 Server-Side Request Forgery in GREENmod — GREENmod 9.8AICriticalAI2026-04-17
CVE-2026-5052 Vault Vulnerable to Server-Side Request Forgery in ACME Challenge Validation via Attacker-Controlled DNS — Vault 5.3 Medium2026-04-17
CVE-2026-40500 ProcessWire CMS SSRF via Add Module From URL — processwire 6.8 Medium2026-04-15
CVE-2026-39845 Weblate: SSRF via the webhook add-on using unprotected fetch_url() — weblate 4.1 Medium2026-04-15
CVE-2026-33440 Weblate: Authenticated SSRF via redirect bypass of ALLOWED_ASSET_DOMAINS in screenshot URL uploads — weblate 5.0 Medium2026-04-15
CVE-2026-35032 Jellyfin: Potential SSRF + Arbitrary file read via LiveTV M3U tuner — jellyfin 8.1 -2026-04-14
CVE-2025-59809 Fortinet FortiSOAR PaaS和Fortinet FortiSOAR on-premise 代码问题漏洞 — FortiSOAR on-premise 4.1 Medium2026-04-14
CVE-2026-34225 Open WebUI has Blind Server Side Request Forgery in its Image Edit Functionality — open-webui 4.3 Medium2026-04-14
CVE-2026-39418 MaxKB: SSRF via sandbox network hook bypass — MaxKB 5.0 Medium2026-04-14
CVE-2026-6220 HummerRisk Video File Download URL ServerService.java ServerService.addServer server-side request forgery — HummerRisk 4.7 Medium2026-04-13
CVE-2026-33659 EspoCRM: SSRF via DNS Rebinding in Attachment fromImageUrl Endpoint Allows Internal Network Access — espocrm 3.5 Low2026-04-13
CVE-2026-6215 DbGate REST/GraphQL openApiDriver.ts apiServerUrl1 server-side request forgery — DbGate 6.3 Medium2026-04-13
CVE-2026-33534 EspoCRM has authenticated SSRF via internal-host validation bypass using alternative IPv4 notation — espocrm 4.3 Medium2026-04-13

Vulnerabilities classified as CWE-918 (服务端请求伪造(SSRF)) represent 1539 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.