Total
1905 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-48951 | 1 Logpoint | 2 Logpoint, Siem | 2025-04-30 | 7.5 High |
| An issue was discovered in Logpoint before 7.5.0. Server-Side Request Forgery (SSRF) on SOAR can be used to leak Logpoint's API Token leading to authentication bypass. | ||||
| CVE-2025-31117 | 1 Open-emr | 1 Openemr | 2025-04-30 | 7.5 High |
| OpenEMR is a free and open source electronic health records and medical practice management application. An Out-of-Band Server-Side Request Forgery (OOB SSRF) vulnerability was identified in OpenEMR, allowing an attacker to force the server to make unauthorized requests to external or internal resources. this attack does not return a direct response but can be exploited through DNS or HTTP interactions to exfiltrate sensitive information. This vulnerability is fixed in 7.0.3.1. | ||||
| CVE-2021-25972 | 1 Tuzitio | 1 Camaleon Cms | 2025-04-30 | 4.9 Medium |
| In Camaleon CMS, versions 2.1.2.0 to 2.6.0, are vulnerable to Server-Side Request Forgery (SSRF) in the media upload feature, which allows admin users to fetch media files from external URLs but fails to validate URLs referencing to localhost or other internal servers. This allows attackers to read files stored in the internal server. | ||||
| CVE-2022-42894 | 1 Siemens | 1 Syngo Dynamics Cardiovascular Imaging And Information System | 2025-04-30 | 7.5 High |
| A vulnerability has been identified in syngo Dynamics (All versions < VA40G HF01). An unauthenticated Server-Side Request Forgery (SSRF) vulnerability was identified in one of the web services exposed on the syngo Dynamics application that could allow for the leaking of NTLM credentials as well as local service enumeration. | ||||
| CVE-2022-43140 | 1 Keking | 1 Kkfileview | 2025-04-30 | 7.5 High |
| kkFileView v4.1.0 was discovered to contain a Server-Side Request Forgery (SSRF) via the component cn.keking.web.controller.OnlinePreviewController#getCorsFile. This vulnerability allows attackers to force the application to make arbitrary requests via injection of crafted URLs into the url parameter. | ||||
| CVE-2022-43183 | 1 Xuxueli | 1 Xxl-job | 2025-04-29 | 8.8 High |
| XXL-Job before v2.3.1 contains a Server-Side Request Forgery (SSRF) via the component /admin/controller/JobLogController.java. | ||||
| CVE-2022-40842 | 1 Ndk-design | 1 Ndkadvancedcustomizationfields | 2025-04-29 | 9.1 Critical |
| ndk design NdkAdvancedCustomizationFields 3.5.0 is vulnerable to Server-side request forgery (SSRF) via rotateimg.php. | ||||
| CVE-2022-45152 | 2 Fedoraproject, Moodle | 3 Extra Packages For Enterprise Linux, Fedora, Moodle | 2025-04-29 | 9.1 Critical |
| A blind Server-Side Request Forgery (SSRF) vulnerability was found in Moodle. This flaw exists due to insufficient validation of user-supplied input in LTI provider library. The library does not utilise Moodle's inbuilt cURL helper, which resulted in a blind SSRF risk. An attacker can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems. This vulnerability allows a remote attacker to perform SSRF attacks. | ||||
| CVE-2025-46511 | 2025-04-29 | 6.4 Medium | ||
| Server-Side Request Forgery (SSRF) vulnerability in Derek Springer BeerXML Shortcode allows Server Side Request Forgery. This issue affects BeerXML Shortcode: from n/a through 0.71. | ||||
| CVE-2025-46443 | 2025-04-29 | 4.9 Medium | ||
| Server-Side Request Forgery (SSRF) vulnerability in Adam Pery Animate allows Server Side Request Forgery. This issue affects Animate: from n/a through 0.5. | ||||
| CVE-2024-33864 | 2 Linqi, Microsoft | 2 Linqi, Windows | 2025-04-28 | 5.9 Medium |
| An issue was discovered in linqi before 1.4.0.1 on Windows. There is SSRF via Document template generation; i.e., via remote images in process creation, file inclusion, and PDF document generation via malicious JavaScript. | ||||
| CVE-2025-29449 | 1 Lm21 | 1 Twonav | 2025-04-25 | 6.5 Medium |
| An issue in twonav v.2.1.18-20241105 allows a remote attacker to obtain sensitive information via the link identification function. | ||||
| CVE-2025-29460 | 1 Mybb | 1 Mybb | 2025-04-25 | 7.6 High |
| An issue in MyBB 1.8.38 allows a remote attacker to obtain sensitive information via the Add Mycode function. NOTE: the Supplier disputes this because of the allowed actions of Board administrators and because of SSRF mitigation. | ||||
| CVE-2022-41412 | 1 Perfsonar | 1 Perfsonar | 2025-04-24 | 8.6 High |
| An issue in the graphData.cgi component of perfSONAR v4.4.5 and prior allows attackers to access sensitive data and execute Server-Side Request Forgery (SSRF) attacks. | ||||
| CVE-2023-6294 | 2 Popup Builder, Sygnoos | 2 Popup Builder, Popup Builder | 2025-04-24 | 7.5 High |
| The Popup Builder WordPress plugin before 4.2.6 does not validate a parameter before making a request to it, which could allow users with the administrator role to perform SSRF attack in Multisite WordPress configurations. | ||||
| CVE-2022-35508 | 1 Proxmox | 3 Proxmox Mail Gateway, Pve Http Server, Virtual Environment | 2025-04-24 | 9.8 Critical |
| Proxmox Virtual Environment (PVE) and Proxmox Mail Gateway (PMG) are vulnerable to SSRF when proxying HTTP requests between pve(pmg)proxy and pve(pmg)daemon. An attacker with an unprivileged account can craft an HTTP request to achieve SSRF and file disclosure of any files on the server. Also, in Proxmox Mail Gateway, privilege escalation to the root@pam account is possible if the backup feature has ever been used, because backup files such as pmg-backup_YYYY_MM_DD_*.tgz have 0644 permissions and contain an authkey value. This is fixed in pve-http-server 4.1-3. | ||||
| CVE-2025-29458 | 1 Mybb | 1 Mybb | 2025-04-24 | 7.6 High |
| An issue in MyBB 1.8.38 allows a remote attacker to obtain sensitive information via the Change Avatar function. NOTE: the Supplier disputes this because of the allowed actions of Board administrators and because of SSRF mitigation. | ||||
| CVE-2025-29457 | 1 Mybb | 1 Mybb | 2025-04-24 | 7.6 High |
| An issue in MyBB 1.8.38 allows a remote attacker to obtain sensitive information via the Import a Theme function. NOTE: the Supplier disputes this because of the allowed actions of Board administrators and because of SSRF mitigation. | ||||
| CVE-2022-43880 | 1 Ibm | 1 Qradar Wincollect | 2025-04-24 | 4.4 Medium |
| IBM QRadar WinCollect Agent 10.0 through 10.1.2 could allow a privileged user to cause a denial of service. IBM X-Force ID: 240151. | ||||
| CVE-2025-3691 | 1 Mirweiye | 1 Seven Bears Library Cms | 2025-04-24 | 2.7 Low |
| A vulnerability was found in mirweiye Seven Bears Library CMS 2023. It has been classified as problematic. Affected is an unknown function of the component Add Link Handler. The manipulation leads to server-side request forgery. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | ||||