Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-918 (服务端请求伪造(SSRF)) — Vulnerability Class 1489

1489 vulnerabilities classified as CWE-918 (服务端请求伪造(SSRF)). AI Chinese analysis included.

CVE IDTitleCVSSSeverityPublished
CVE-2026-39845 Weblate: SSRF via the webhook add-on using unprotected fetch_url() — weblate 4.1 Medium2026-04-15
CVE-2026-33440 Weblate: Authenticated SSRF via redirect bypass of ALLOWED_ASSET_DOMAINS in screenshot URL uploads — weblate 5.0 Medium2026-04-15
CVE-2026-35032 Jellyfin: Potential SSRF + Arbitrary file read via LiveTV M3U tuner — jellyfin 8.1 -2026-04-14
CVE-2025-59809 Fortinet FortiSOAR PaaS和Fortinet FortiSOAR on-premise 代码问题漏洞 — FortiSOAR on-premise 4.1 Medium2026-04-14
CVE-2026-34225 Open WebUI has Blind Server Side Request Forgery in its Image Edit Functionality — open-webui 4.3 Medium2026-04-14
CVE-2026-39418 MaxKB: SSRF via sandbox network hook bypass — MaxKB 5.0 Medium2026-04-14
CVE-2026-6220 HummerRisk Video File Download URL ServerService.java ServerService.addServer server-side request forgery — HummerRisk 4.7 Medium2026-04-13
CVE-2026-33659 EspoCRM: SSRF via DNS Rebinding in Attachment fromImageUrl Endpoint Allows Internal Network Access — espocrm 3.5 Low2026-04-13
CVE-2026-6215 DbGate REST/GraphQL openApiDriver.ts apiServerUrl1 server-side request forgery — DbGate 6.3 Medium2026-04-13
CVE-2026-33534 EspoCRM has authenticated SSRF via internal-host validation bypass using alternative IPv4 notation — espocrm 4.3 Medium2026-04-13
CVE-2026-34476 Apache SkyWalking MCP: Server-Side Request Forgery via SW-URL Header in MCP Server — Apache SkyWalking MCP 9.1 -2026-04-13
CVE-2026-5936 Server-Side Request Forgery (SSRF) via URL Parameter in Foxit PDF Services API — Foxit PDF Services API 8.5 High2026-04-13
CVE-2026-6119 AstrBotDevs AstrBot API Endpoint post_data.get server-side request forgery — AstrBot 6.3 Medium2026-04-12
CVE-2026-6111 FoundationAgents MetaGPT common.py decode_image server-side request forgery — MetaGPT 6.3 Medium2026-04-12
CVE-2026-4979 UsersWP <= 1.2.58 - Authenticated (Subscriber+) Server-Side Request Forgery via 'uwp_crop' Parameter — UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP 5.0 Medium2026-04-11
CVE-2026-40242 Arcane Unauthenticated SSRF with Conditional Response Reflection in Template Fetch Endpoint — arcane 7.2 High2026-04-10
CVE-2026-39922 GeoNode SSRF via Service Registration — GeoNode 8.1 -2026-04-10
CVE-2026-39921 GeoNode < 4.4.5, 5.0.2 SSRF via Document Upload — GeoNode 7.1 -2026-04-10
CVE-2026-40168 Postiz has Server-Side Request Forgery via Redirect Bypass in /api/public/stream — postiz-app 8.2 High2026-04-10
CVE-2026-30232 Chartbrew has SSRF in API Data Connection - No IP Validation on User-Provided URLs — chartbrew 8.1 -2026-04-10
CVE-2026-31941 Server-Side Request Forgery (SSRF) in Chamilo LMS — chamilo-lms 7.7 High2026-04-10
CVE-2026-40160 PraisonAIAgents has SSRF via unvalidated URL in `web_crawl` httpx fallback — PraisonAIAgents 7.4AIHighAI2026-04-10
CVE-2026-40100 FastGPT has Unauthenticated SSRF in /api/core/app/mcpTools/runTool via missing CHECK_INTERNAL_IP default — FastGPT 5.3 Medium2026-04-10
CVE-2026-6011 OpenClaw assertPublicHostname web-fetch.ts server-side request forgery — OpenClaw 5.6 Medium2026-04-10
CVE-2026-35629 OpenClaw < 2026.3.25 - Server-Side Request Forgery via Unguarded Configured Base URLs in Channel Extensions — OpenClaw 7.4 High2026-04-09
CVE-2026-40150 PraisonAIAgents has SSRF and Local File Read via Unvalidated URLs in web_crawl Tool — PraisonAIAgents 7.7 High2026-04-09
CVE-2026-40114 PraisonAI has Server-Side Request Forgery via Unvalidated webhook_url in Jobs API — PraisonAI 7.2 High2026-04-09
CVE-2026-40107 SiYuan Affected by Zero-Click NTLM Hash Theft and Blind SSRF via Mermaid Diagram Rendering — siyuan 6.1AIMediumAI2026-04-09
CVE-2026-40089 Sonicverse has Server-Side Request Forgery via user-controlled URLs in dashboard API client — audiostreaming-stack 9.9 Critical2026-04-09
CVE-2026-40072 web3.py affected by SSRF via CCIP Read (EIP-3668) OffchainLookup URL handling — web3.py 9.1AICriticalAI2026-04-09

Vulnerabilities classified as CWE-918 (服务端请求伪造(SSRF)) represent 1489 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.