Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-918 (服务端请求伪造(SSRF)) — Vulnerability Class 1540

1540 vulnerabilities classified as CWE-918 (服务端请求伪造(SSRF)). AI Chinese analysis included.

CWE-918, Server-Side Request Forgery, is a critical web security weakness where an application allows users to specify URLs that the server subsequently fetches without adequate validation. Attackers typically exploit this by manipulating input parameters to force the server to access internal resources, such as cloud metadata services or local network endpoints, which are otherwise inaccessible from the outside. This bypasses perimeter defenses, potentially leading to sensitive data exposure or internal network reconnaissance. To mitigate SSRF, developers must implement strict input validation, ensuring that only whitelisted domains and protocols are permitted. Additionally, employing network-level controls like firewalls to restrict outbound connections from the application server and isolating internal services from public-facing interfaces significantly reduces the attack surface, preventing unauthorized internal access.

MITRE CWE Description
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Common Consequences (3)
ConfidentialityRead Application Data
IntegrityExecute Unauthorized Code or Commands
Access ControlBypass Protection Mechanism
By providing URLs to unexpected hosts or ports, attackers can make it appear that the server is sending the request, possibly bypassing access controls such as firewalls that prevent the attackers from accessing the URLs directly. The server can be used as a proxy to conduct port scanning of hosts i…
Examples (1)
This code intends to receive a URL from a user, access the URL, and return the results to the user.
$url = $_GET['url']; # User-controlled input # Fetch the content of the provided URL $response = file_get_contents($url); echo $response;
Bad · PHP
# Define allowed URLs (or domains) $allowed_urls = [ 'https://example.com/data.json', 'https://api.example.com/info', ]; # Get the user-provided URL $url = $_GET['url'] ?? ''; # Validate against allowed URLs if (!in_array($url, $allowed_urls)) { http_response_code(400); echo "Invalid or unauthorized URL."; exit; } # Fetch content safely $response = @file_get_contents($url); if ($response === false) { http_response_code(500); echo "Failed to fetch content."; exit; } echo htmlspecialchars($response); # Escape output for safety
Good · PHP
CVE IDTitleCVSSSeverityPublished
CVE-2026-34443 FreeScout: SSRF protection bypass via broken CIDR check in checkIpByMask() — freescout 7.5 -2026-03-31
CVE-2026-34740 AVideo: Stored SSRF via Video EPG Link Missing isSSRFSafeURL() Validation — AVideo 6.5 Medium2026-03-31
CVE-2026-34367 InvoiceShelf: SSRF in Invoice PDF Rendering via Unsanitised HTML in Notes Field — InvoiceShelf 7.6 High2026-03-31
CVE-2026-34366 InvoiceShelf: SSRF in Payment Receipt PDF Rendering via Unsanitised HTML in Notes Field — InvoiceShelf 7.6 High2026-03-31
CVE-2026-34365 InvoiceShelf: SSRF in Estimate PDF Rendering via Unsanitised HTML in Notes Field — InvoiceShelf 7.6 High2026-03-31
CVE-2026-33185 Discourse: Group SMTP test endpoint susceptible to SSRF — discourse 4.3 -2026-03-31
CVE-2026-34360 HAPI FHIR: Unauthenticated Blind SSRF via /loadIG Endpoint Enables Internal Network Probing — org.hl7.fhir.core 5.8 Medium2026-03-31
CVE-2026-5205 chatwoot Webhook API trigger.rb Trigger server-side request forgery — chatwoot 6.3 Medium2026-03-31
CVE-2026-34504 OpenClaw < 2026.3.28 - Server-Side Request Forgery via Unguarded Image Download in fal Provider — OpenClaw 8.3 High2026-03-31
CVE-2026-34163 Server-Side Request Forgery via MCP Tools Endpoint in FastGPT — FastGPT 7.7 High2026-03-31
CVE-2026-34881 OpenStack Glance 安全漏洞 — Glance 5.0 Medium2026-03-31
CVE-2026-31804 Tautulli: Unauthenticated pms_image_proxy endpoint proxies arbitrary HTTP requests through the Plex Media Server — Tautulli 4.0 Medium2026-03-30
CVE-2026-5126 SourceCodester RSS Feed Parser file_get_contents server-side request forgery — RSS Feed Parser 6.3 Medium2026-03-30
CVE-2026-0560 Server-Side Request Forgery (SSRF) in parisneo/lollms — parisneo/lollms 9.8 -2026-03-29
CVE-2026-5016 elecV2 elecV2P URL mock eAxios server-side request forgery — elecV2P 7.3 High2026-03-28
CVE-2025-12886 Oxygen <= 6.0.8 - Unauthenticated Server-Side Request Forgery via route_path — Oxygen - WooCommerce WordPress Theme 7.2 High2026-03-28
CVE-2026-33992 pyLoad: Server-Side Request Forgery via Download Link Submission Enables Cloud Metadata Exfiltration — pyload 7.7 -2026-03-27
CVE-2026-33953 LinkAce's SSRF protection can be bypassed via internal hostname resolution in LinkAce — LinkAce 8.5 High2026-03-27
CVE-2026-31945 LibreChat Server-Side Request Forgery using DNS resolution — LibreChat 7.7 High2026-03-27
CVE-2026-31943 LibreChat has SSRF protection bypass via IPv4-mapped IPv6 normalization in isPrivateIP — LibreChat 8.5 High2026-03-27
CVE-2026-4964 letta-ai letta File URL message_helper.py _convert_message_create_to_message server-side request forgery — letta 6.3 Medium2026-03-27
CVE-2026-33766 AVideo has SSRF Protection Bypass via HTTP Redirect in Image Download Endpoints — AVideo 8.2 -2026-03-27
CVE-2026-4953 mingSoft MCMS Editor Endpoint BaseAction.java catchImage server-side request forgery — MCMS 7.3 High2026-03-27
CVE-2026-33205 calibre has Server-Side Request Forgery in ebook viewer backend — calibre 8.6 -2026-03-27
CVE-2026-4907 Page-Replica Page Replica Endpoint sitemap sitemap.fetch server-side request forgery — Page Replica 6.3 Medium2026-03-27
CVE-2026-33693 Lemmy's Activitypub-Federation has SSRF via 0.0.0.0 bypass in activitypub-federation-rust v4_is_invalid() — lemmy 6.5 Medium2026-03-27
CVE-2026-33682 Streamlit on Windows has Unauthenticated SSRF Vulnerability (NTLM Credential Exposure) — streamlit 4.7 Medium2026-03-26
CVE-2026-33619 PinchTab has Unauthenticated Blind SSRF in Task Scheduler via Unvalidated callbackUrl — pinchtab 4.1 Medium2026-03-26
CVE-2026-33644 Lychee has SSRF bypass via DNS rebinding — PhotoUrlRule only validates IP addresses, not hostnames resolving to internal IPs — Lychee 7.5 -2026-03-26
CVE-2026-3530 OpenID Connect / OAuth client - Moderately critical - Server-side request forgery, Information disclosure - SA-CONTRIB-2026-025 — OpenID Connect / OAuth client 9.8AICriticalAI2026-03-26

Vulnerabilities classified as CWE-918 (服务端请求伪造(SSRF)) represent 1540 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.