CWE-918 (服务端请求伪造(SSRF)) — Vulnerability Class 1478

1478 vulnerabilities classified as CWE-918 (服务端请求伪造(SSRF)). AI Chinese analysis included.

CVE ID	Title	CVSS	Severity	Published
CVE-2026-7025	Typecho Ping Back Service Endpoint Service.php sendPingHandle server-side request forgery — Typecho	7.3	High	2026-04-26
CVE-2026-6983	pagekit download server-side request forgery — pagekit	4.7	Medium	2026-04-25
CVE-2026-6981	IhateCreatingUserNames2 AiraHub2 Endpoint AiraHub.py sync_agents server-side request forgery — AiraHub2	6.3	Medium	2026-04-25
CVE-2026-6979	devlikeapro WAHA API Request media.controller.ts server-side request forgery — WAHA	6.3	Medium	2026-04-25
CVE-2026-41488	angchain-openai: Image token counting SSRF protection can be bypassed via DNS rebinding — langchain-openai	3.1	Low	2026-04-24
CVE-2026-41481	LangChain: HTMLHeaderTextSplitter.split_text_from_url SSRF Redirect Bypass — langchain-text-splitters	6.5	Medium	2026-04-24
CVE-2026-42038	Axios: no_proxy bypass via IP alias allows SSRF — axios	6.8	Medium	2026-04-24
CVE-2026-41321	@astrojs/cloudflare: SSRF via redirect following in Cloudflare image-binding-transform endpoint — @astrojs/cloudflare	2.2	Low	2026-04-24
CVE-2026-31955	Xibo CMS has Authenticated Server-Side Request Forgery (SSRF) in Remote DataSet Functionality — xibo-cms	4.9	Medium	2026-04-24
CVE-2026-35431	Microsoft Entra ID Entitlement Management Spoofing Vulnerability — Microsoft Entra	10.0	Critical	2026-04-23
CVE-2026-26150	Microsoft Purview eDiscovery Elevation of Privilege Vulnerability — Microsoft Purview eDiscovery	8.6	High	2026-04-23
CVE-2026-32210	Microsoft Dynamics 365 (online) Spoofing Vulnerability — Microsoft Dynamics 365 (online)	9.3	Critical	2026-04-23
CVE-2026-41271	Flowise: APIChain Prompt Injection SSRF in GET/POST API Chains — Flowise	8.6^AI	High^AI	2026-04-23
CVE-2026-41272	Flowise: SSRF Protection Bypass (TOCTOU & Default Insecure) — Flowise	7.1	High	2026-04-23
CVE-2026-41461	SocialEngine <= 7.8.0 Blind SSRF via /core/link/preview — SocialEngine	8.5	High	2026-04-23
CVE-2026-41172	Squidex vulnerable to Server-Side Request Forgery (SSRF) via URL-based asset upload (/api/apps/{app}/assets) — squidex	4.3^AI	Medium^AI	2026-04-22
CVE-2026-41171	SSRF via Jint Scripting Engine HTTP Functions Due to Missing SSRF Protection on "Jint" HttpClient — squidex	8.1^AI	High^AI	2026-04-22
CVE-2026-41170	Squidex has SSRF via Backup Restore Endpoint — Admin-Controlled URL Download Allows Internal and External Requests — squidex	6.8^AI	Medium^AI	2026-04-22
CVE-2026-41455	WeKan < 8.35 SSRF via Webhook URL — wekan	8.5	High	2026-04-22
CVE-2026-41130	Craft CMS has a host header injection leading to SSRF via resource-js endpoint — cms	10.0^AI	Critical^AI	2026-04-21
CVE-2026-41129	Craft CMS has Server-Side Request Forgery (SSRF) with Asset Uploads Mutations — cms	8.3^AI	High^AI	2026-04-21
CVE-2026-41060	AVideo's SSRF via same-domain hostname with alternate port bypasses isSSRFSafeURL — AVideo	7.7	High	2026-04-21
CVE-2026-41055	AVideo has an incomplete fix for CVE-2026-33039 (SSRF) — AVideo	8.6	High	2026-04-21
CVE-2026-5921	Server-Side Request Forgery in GitHub Enterprise Server allowed extraction of sensitive environment variables via timing side-channel attack — Enterprise Server	7.5^AI	High^AI	2026-04-21
CVE-2026-6744	Bagisto Downloadable Link copy server-side request forgery — Bagisto	6.3	Medium	2026-04-21
CVE-2026-40566	FreeScout vulnerable to SSRF via IMAP/SMTP Connection Test Endpoints — freescout	4.1	Medium	2026-04-21
CVE-2026-35587	Glances IP Plugin has SSRF via public_api that leads to credential leakage — glances	9.8^AI	Critical^AI	2026-04-20
CVE-2026-41302	OpenClaw < 2026.3.31 - Server-Side Request Forgery via Unguarded fetch() in Marketplace Plugin Download — OpenClaw	7.6	High	2026-04-20
CVE-2026-41297	OpenClaw < 2026.3.31 - Server-Side Request Forgery via Marketplace Plugin Download Redirect — OpenClaw	7.6	High	2026-04-20
CVE-2026-33626	LMDeploy Vulnerable to Server-Side Request Forgery (SSRF) via Vision-Language Image Loading — lmdeploy	7.5	High	2026-04-20

Vulnerabilities classified as CWE-918 (服务端请求伪造(SSRF)) represent 1478 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.

Goal Reached Thanks to every supporter — we hit 100%!

CWE-918 (服务端请求伪造(SSRF)) — Vulnerability Class 1478