CWE-918 (服务端请求伪造(SSRF)) — Vulnerability Class 1481

1481 vulnerabilities classified as CWE-918 (服务端请求伪造(SSRF)). AI Chinese analysis included.

CVE ID	Title	CVSS	Severity	Published
CVE-2026-33458	Server-Side Request Forgery (SSRF) in Kibana One Workflow Leading to Information Disclosure — Kibana	6.8	Medium	2026-04-08
CVE-2026-2377	Mirror-registry: quay: quay: server-side request forgery via log export functionality — mirror registry for Red Hat OpenShift	6.5	Medium	2026-04-08
CVE-2026-39695	WordPress Podigee plugin <= 1.4.0 - Server Side Request Forgery (SSRF) vulnerability — Podigee	9.1^AI	Critical^AI	2026-04-08
CVE-2026-39670	WordPress Visual Link Preview plugin <= 2.3.0 - Server Side Request Forgery (SSRF) vulnerability — Visual Link Preview	9.1^AI	Critical^AI	2026-04-08
CVE-2026-39645	WordPress GlobalPayments WooCommerce plugin <= 1.18.0 - Server Side Request Forgery (SSRF) vulnerability — GlobalPayments WooCommerce	9.8^AI	Critical^AI	2026-04-08
CVE-2026-39647	WordPress MP3 Audio Player for Music, Radio & Podcast by Sonaar plugin <= 5.11 - Server Side Request Forgery (SSRF) vulnerability — MP3 Audio Player for Music, Radio & Podcast by Sonaar	9.1^AI	Critical^AI	2026-04-08
CVE-2026-39630	WordPress Getty Images plugin <= 4.1.0 - Server Side Request Forgery (SSRF) vulnerability — Getty Images	7.5^AI	High^AI	2026-04-08
CVE-2026-39521	WordPress Nelio Content plugin <= 4.3.1 - Server Side Request Forgery (SSRF) vulnerability — Nelio Content	9.1^AI	Critical^AI	2026-04-08
CVE-2026-39464	WordPress Coming Soon Page, Under Construction & Maintenance Mode by SeedProd plugin <= 6.19.8 - Server Side Request Forgery (SSRF) vulnerability — Coming Soon Page, Under Construction & Maintenance Mode by SeedProd	9.8^AI	Critical^AI	2026-04-08
CVE-2026-1343	Security Vulnerabilities have been found in IBM Verify Identity Access and IBM Security Verify Access — Verify Identity Access Container	7.2	High	2026-04-08
CVE-2026-39370	WWBN AVideo has an Allowlisted downloadURL media extensions bypass SSRF protection and enable internal response exfiltration (Incomplete fix for CVE-2026-27732) — AVideo	7.1	High	2026-04-07
CVE-2026-39368	WWBN AVideo has a Live restream log callback flow enabling stored SSRF to internal services — AVideo	6.5	Medium	2026-04-07
CVE-2026-39361	OpenObserve has a SSRF Protection Bypass via IPv6 Bracket Notation in validate_enrichment_url — openobserve	7.7	High	2026-04-07
CVE-2026-35572	SSRF via Referer header in ChurchCRM allows server-side HTTP/HTTPS requests to arbitrary hosts — CRM	7.1^AI	High^AI	2026-04-07
CVE-2026-35516	LinkAce has SSRF via CheckLinksCommand - Link URL Update Bypasses laravel-html-meta Protection — LinkAce	5.0	Medium	2026-04-07
CVE-2026-35486	text-generation-webui has a SSRF in superbooga/superboogav2 extensions — no URL validation — text-generation-webui	7.5	High	2026-04-07
CVE-2026-35461	Papra has a Blind Server-Side Request Forgery (SSRF) via Webhook URL — papra	5.0	Medium	2026-04-07
CVE-2026-35409	Directus has a SSRF Protection Bypass via IPv4-Mapped IPv6 Addresses in File Import — directus	7.7	High	2026-04-06
CVE-2026-35459	pyLoad has SSRF fix bypass via HTTP redirect — pyload	4.6^AI	Medium^AI	2026-04-06
CVE-2026-35187	pyLoad has SSRF in parse_urls API endpoint via unvalidated URL parameter — pyload	7.7	High	2026-04-06
CVE-2026-35037	Ech0 affected by unauthenticated SSRF in GetWebsiteTitle allows access to internal services and cloud metadata — Ech0	7.2	High	2026-04-06
CVE-2026-35036	Ech0 Affected by Unauthenticated Server-Side Request Forgery in Website Preview Feature — Ech0	7.5	High	2026-04-06
CVE-2026-34981	whisperX REST API: SSRF in download_from_url() — URL validation happens after HTTP request, extension bypass via .mp3 — whisperX-FastAPI	5.8	Medium	2026-04-06
CVE-2026-34753	vLLM affected by Server-Side Request Forgery (SSRF) in `download_bytes_from_url ` — vllm	5.4	Medium	2026-04-06
CVE-2026-33752	Redirect-based SSRF leading to internal network access in curl_cffi (with TLS impersonation bypass) — curl_cffi	8.6	High	2026-04-06
CVE-2026-33540	Distribution affected by pull-through cache credential exfiltration via www-authenticate bearer realm — distribution	7.5	High	2026-04-06
CVE-2026-5633	assafelovic gpt-researcher ws Endpoint server-side request forgery — gpt-researcher	7.3	High	2026-04-06
CVE-2026-5623	hcengineering Huly Platform Import Endpoint index.ts server-side request forgery — Huly Platform	6.3	Medium	2026-04-06
CVE-2026-5618	kalcaddle kodbox shareMake/shareCheck server-side request forgery — kodbox	5.6	Medium	2026-04-06
CVE-2026-5607	imprvhub mcp-browser-agent URL Parameter handlers.ts CallToolRequestSchema server-side request forgery — mcp-browser-agent	6.3	Medium	2026-04-06

Vulnerabilities classified as CWE-918 (服务端请求伪造(SSRF)) represent 1481 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.

Goal Reached Thanks to every supporter — we hit 100%!

CWE-918 (服务端请求伪造(SSRF)) — Vulnerability Class 1481