Total
1935 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-68893 | 2 Hetworks, Wordpress | 2 Wordpress Image Shrinker, Wordpress | 2025-12-31 | 4.9 Medium |
| Server-Side Request Forgery (SSRF) vulnerability in HETWORKS WordPress Image shrinker allows Server Side Request Forgery.This issue affects WordPress Image shrinker: from n/a through 1.1.0. | ||||
| CVE-2025-60541 | 2 Linshenkx, Prompt Optimizer Project | 2 Prompt Optimizer, Prompt Optimizer | 2025-12-31 | 7.3 High |
| A Server-Side Request Forgery (SSRF) in the /api/proxy/ component of linshenkx prompt-optimizer v1.3.0 to v1.4.2 allows attackers to scan internal resources via a crafted request. | ||||
| CVE-2025-64522 | 2 Charm, Charmbracelet | 2 Soft Serve, Soft-serve | 2025-12-31 | 9.1 Critical |
| Soft Serve is a self-hostable Git server for the command line. Versions prior to 0.11.1 have a SSRF vulnerability where webhook URLs are not validated, allowing repository administrators to create webhooks targeting internal services, private networks, and cloud metadata endpoints. Version 0.11.1 fixes the vulnerability. | ||||
| CVE-2025-63408 | 2 Ispyconnect, Ispysoftware | 2 Agent Dvr, Agent Dvr | 2025-12-31 | 5.1 Medium |
| Local Agent DVR versions thru 6.6.1.0 are vulnerable to directory traversal that allows an unauthenticated local attacker to gain access to sensitive information, cause a server-side forgery request (SSRF), or execute OS commands. | ||||
| CVE-2023-53899 | 1 Podcastgenerator | 1 Podcast Generator | 2025-12-30 | 9.8 Critical |
| PodcastGenerator 3.2.9 contains a blind server-side request forgery vulnerability that allows attackers to inject XML in the episode upload form. Attackers can manipulate the 'shortdesc' parameter to trigger external HTTP requests to arbitrary endpoints during podcast episode creation. | ||||
| CVE-2025-68500 | 2 Bdthemes, Wordpress | 2 Prime Slider, Wordpress | 2025-12-29 | 9.1 Critical |
| Server-Side Request Forgery (SSRF) vulnerability in bdthemes Prime Slider – Addons For Elementor bdthemes-prime-slider-lite allows Server Side Request Forgery.This issue affects Prime Slider – Addons For Elementor: from n/a through <= 4.0.10. | ||||
| CVE-2019-25251 | 1 Teradek | 1 Vidiu | 2025-12-29 | 5.3 Medium |
| Teradek VidiU Pro 3.0.3 contains a server-side request forgery vulnerability in the management interface that allows attackers to manipulate GET parameters 'url' and 'xml_url'. Attackers can exploit this flaw to bypass firewalls, initiate network enumeration, and potentially trigger external HTTP requests to arbitrary destinations. | ||||
| CVE-2025-67623 | 1 Wordpress | 1 Wordpress | 2025-12-29 | 9.1 Critical |
| Server-Side Request Forgery (SSRF) vulnerability in 6Storage 6Storage Rentals 6storage-rentals allows Server Side Request Forgery.This issue affects 6Storage Rentals: from n/a through <= 2.19.9. | ||||
| CVE-2025-15098 | 1 Yunaiv | 1 Yudao-cloud | 2025-12-29 | 6.3 Medium |
| A vulnerability was determined in YunaiV yudao-cloud up to 2025.11. This affects the function BpmHttpCallbackTrigger/BpmSyncHttpRequestTrigger of the component Business Process Management. Executing manipulation of the argument url/header/body can lead to server-side request forgery. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-27600 | 1 Fastgpt | 1 Fastgpt | 2025-12-29 | 6.5 Medium |
| FastGPT is a knowledge-based platform built on the LLMs. Since the web crawling plug-in does not perform intranet IP verification, an attacker can initiate an intranet IP request, causing the system to initiate a request through the intranet and potentially obtain some private data on the intranet. This issue is fixed in 4.9.0. | ||||
| CVE-2025-62612 | 2 Fastgpt, Sealos | 2 Fastgpt, Fastgpt | 2025-12-29 | 5.3 Medium |
| FastGPT is an AI Agent building platform. Prior to version 4.11.1, in the workflow file reading node, the network link is not security-verified, posing a risk of SSRF attacks. This issue has been patched in version 4.11.1. | ||||
| CVE-2025-67743 | 1 Learningcircuit | 1 Local Deep Research | 2025-12-29 | 6.3 Medium |
| Local Deep Research is an AI-powered research assistant for deep, iterative research. In versions from 1.3.0 to before 1.3.9, the download service (download_service.py) makes HTTP requests using raw requests.get() without utilizing the application's SSRF protection (safe_requests.py). This can allow attackers to access internal services and attempt to reach cloud provider metadata endpoints (AWS/GCP/Azure), as well as perform internal network reconnaissance, by submitting malicious URLs through the API, depending on the deployment and surrounding controls. This issue has been patched in version 1.3.9. | ||||
| CVE-2021-47715 | 1 Hasura | 1 Graphql Engine | 2025-12-26 | 5.3 Medium |
| Hasura GraphQL 1.3.3 contains a server-side request forgery vulnerability that allows attackers to inject arbitrary remote schema URLs through the add_remote_schema endpoint. Attackers can exploit the vulnerability by sending crafted POST requests to the /v1/query endpoint with malicious URL definitions to potentially access internal network resources. | ||||
| CVE-2024-21498 | 2 Authcrunch, Greenpau | 2 Caddy-security, Caddy-security | 2025-12-23 | 5.3 Medium |
| All versions of the package github.com/greenpau/caddy-security are vulnerable to Server-side Request Forgery (SSRF) via X-Forwarded-Host header manipulation. An attacker can expose sensitive information, interact with internal services, or exploit other vulnerabilities within the network by exploiting this vulnerability. | ||||
| CVE-2025-14443 | 1 Redhat | 1 Openshift | 2025-12-23 | 8.5 High |
| A flaw was found in ose-openshift-apiserver. This vulnerability allows internal network enumeration, service discovery, limited information disclosure, and potential denial-of-service (DoS) through Server-Side Request Forgery (SSRF) due to missing IP address and network-range validation when processing user-supplied image references. | ||||
| CVE-2025-58179 | 2 Astro, Withastro | 2 \@astrojs\/cloudflare, Astro | 2025-12-22 | 7.2 High |
| Astro is a web framework for content-driven websites. Versions 11.0.3 through 12.6.5 are vulnerable to SSRF when using Astro's Cloudflare adapter. When configured with output: 'server' while using the default imageService: 'compile', the generated image optimization endpoint doesn't check the URLs it receives, allowing content from unauthorized third-party domains to be served. a A bug in impacted versions of the @astrojs/cloudflare adapter for deployment on Cloudflare’s infrastructure, allows an attacker to bypass the third-party domain restrictions and serve any content from the vulnerable origin. This issue is fixed in version 12.6.6. | ||||
| CVE-2025-26487 | 2 Infinera, Nokia | 3 Mtc-9, Infinera Mtc-9, Infinera Mtc-9 Firmware | 2025-12-22 | 8.6 High |
| Server-Side Request Forgery (SSRF) vulnerability in Infinera MTC-9 version allows remote unauthenticated users to gain access to other network resources using HTTPS requests through the appliance used as a bridge. | ||||
| CVE-2023-38627 | 1 Trendmicro | 1 Apex Central | 2025-12-22 | 5.4 Medium |
| A post-authenticated server-side request forgery (SSRF) vulnerability in Trend Micro Apex Central 2019 (lower than build 6481) could allow an attacker to interact with internal or local services directly. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. This is a similar, but not identical vulnerability as CVE-2023-38626. | ||||
| CVE-2023-38625 | 1 Trendmicro | 1 Apex Central | 2025-12-22 | 5.4 Medium |
| A post-authenticated server-side request forgery (SSRF) vulnerability in Trend Micro Apex Central 2019 (lower than build 6481) could allow an attacker to interact with internal or local services directly. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. This is a similar, but not identical vulnerability as CVE-2023-38624. | ||||
| CVE-2023-38626 | 1 Trendmicro | 1 Apex Central | 2025-12-22 | 5.4 Medium |
| A post-authenticated server-side request forgery (SSRF) vulnerability in Trend Micro Apex Central 2019 (lower than build 6481) could allow an attacker to interact with internal or local services directly. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. This is a similar, but not identical vulnerability as CVE-2023-38625. | ||||