Total
1789 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-7787 | 1 Xuxueli | 1 Xxl-job | 2025-09-11 | 6.3 Medium |
| A vulnerability, which was classified as critical, was found in Xuxueli xxl-job up to 3.1.1. Affected is the function httpJobHandler of the file src\main\java\com\xxl\job\executor\service\jobhandler\SampleXxlJob.java. The manipulation leads to server-side request forgery. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-47437 | 2 Litespeed Technologies, Wordpress | 2 Litespeed Cache, Wordpress | 2025-09-11 | 6.4 Medium |
| Server-Side Request Forgery (SSRF) vulnerability in LiteSpeed Technologies LiteSpeed Cache. This issue affects LiteSpeed Cache: from n/a through 7.0.1. | ||||
| CVE-2025-49430 | 1 Wordpress | 1 Wordpress | 2025-09-11 | 7.2 High |
| Server-Side Request Forgery (SSRF) vulnerability in FWDesign Ultimate Video Player allows Server Side Request Forgery. This issue affects Ultimate Video Player: from n/a through 10.1. | ||||
| CVE-2025-58977 | 2 Winwar, Wordpress | 2 Wp Ebay Product Feeds, Wordpress | 2025-09-11 | 4.9 Medium |
| Server-Side Request Forgery (SSRF) vulnerability in Rhys Wynne WP eBay Product Feeds allows Server Side Request Forgery. This issue affects WP eBay Product Feeds: from n/a through 3.4.8. | ||||
| CVE-2025-7843 | 1 Wordpress | 1 Wordpress | 2025-09-11 | 6.4 Medium |
| The Auto Save Remote Images (Drafts) plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.0.9 via the fetch_images() function. This makes it possible for authenticated attackers, with Contributor-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. | ||||
| CVE-2024-34351 | 1 Vercel | 1 Next.js | 2025-09-10 | 7.5 High |
| Next.js is a React framework that can provide building blocks to create web applications. A Server-Side Request Forgery (SSRF) vulnerability was identified in Next.js Server Actions. If the `Host` header is modified, and the below conditions are also met, an attacker may be able to make requests that appear to be originating from the Next.js application server itself. The required conditions are 1) Next.js is running in a self-hosted manner; 2) the Next.js application makes use of Server Actions; and 3) the Server Action performs a redirect to a relative path which starts with a `/`. This vulnerability was fixed in Next.js `14.1.1`. | ||||
| CVE-2025-47733 | 1 Microsoft | 1 Power Apps | 2025-09-10 | 9.1 Critical |
| Server-Side Request Forgery (SSRF) in Microsoft Power Apps allows an unauthorized attacker to disclose information over a network | ||||
| CVE-2025-29972 | 1 Microsoft | 1 Azure Storage Resource Provider | 2025-09-10 | 9.9 Critical |
| Server-Side Request Forgery (SSRF) in Azure allows an authorized attacker to perform spoofing over a network. | ||||
| CVE-2025-21385 | 1 Microsoft | 1 Purview | 2025-09-09 | 8.8 High |
| A Server-Side Request Forgery (SSRF) vulnerability in Microsoft Purview allows an authorized attacker to disclose information over a network. | ||||
| CVE-2025-10096 | 1 Simstudioai | 1 Sim | 2025-09-09 | 6.3 Medium |
| A vulnerability was determined in SimStudioAI sim up to 1.0.0. This affects an unknown function of the file apps/sim/app/api/files/parse/route.ts. Executing manipulation of the argument filePath can lead to server-side request forgery. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. This patch is called 3424a338b763115f0269b209e777608e4cd31785. Applying a patch is advised to resolve this issue. | ||||
| CVE-2025-43763 | 1 Liferay | 2 Dxp, Portal | 2025-09-09 | N/A |
| A server-side request forgery (SSRF) vulnerability exist in the Liferay Portal 7.4.0 through 7.4.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13 and 2024.Q1.1 through 2024.Q1.20 that affects custom object attachment fields. This flaw allows an attacker to manipulate the application into making unauthorized requests to other instances, creating new object entries that link to external resources. | ||||
| CVE-2025-30678 | 2 Microsoft, Trendmicro | 2 Windows, Apex Central | 2025-09-08 | 6.5 Medium |
| A Server-side Request Forgery (SSRF) vulnerability in Trend Micro Apex Central (on-premise) modTMSM component could allow an attacker to manipulate certain parameters leading to information disclosure on affected installations. | ||||
| CVE-2025-30679 | 2 Microsoft, Trendmicro | 2 Windows, Apex Central | 2025-09-08 | 6.5 Medium |
| A Server-side Request Forgery (SSRF) vulnerability in Trend Micro Apex Central (on-premise) modOSCE component could allow an attacker to manipulate certain parameters leading to information disclosure on affected installations. | ||||
| CVE-2025-30680 | 2 Microsoft, Trendmicro | 2 Windows, Apex Central | 2025-09-08 | 7.5 High |
| A Server-side Request Forgery (SSRF) vulnerability in Trend Micro Apex Central (SaaS) could allow an attacker to manipulate certain parameters leading to information disclosure on affected installations. Please note: this vulnerability only affects the SaaS instance of Apex Central - customers that automatically apply Trend Micro's monthly maintenance releases to the SaaS instance do not have to take any further action. | ||||
| CVE-2025-57822 | 1 Vercel | 1 Next.js | 2025-09-08 | 6.5 Medium |
| Next.js is a React framework for building full-stack web applications. Prior to versions 14.2.32 and 15.4.7, when next() was used without explicitly passing the request object, it could lead to SSRF in self-hosted applications that incorrectly forwarded user-supplied headers. This vulnerability has been fixed in Next.js versions 14.2.32 and 15.4.7. All users implementing custom middleware logic in self-hosted environments are strongly encouraged to upgrade and verify correct usage of the next() function. | ||||
| CVE-2025-55007 | 1 Eng | 1 Knowage | 2025-09-05 | 3.5 Low |
| Knowage is an open source analytics and business intelligence suite. Prior to version 8.1.37, Knowage is vulnerable to server-side request forgery. The vulnerability allows attackers to send requests to arbitrary hosts/paths. Since the attacker is not able to read the response, the impact of this vulnerability is limited. However, an attacker could be able to leverage this vulnerability to scan the internal network. This issue has been patched in version 8.1.37. | ||||
| CVE-2025-58179 | 1 Withastro | 1 Astro | 2025-09-05 | 7.2 High |
| Astro is a web framework for content-driven websites. Versions 11.0.3 through 12.6.5 are vulnerable to SSRF when using Astro's Cloudflare adapter. When configured with output: 'server' while using the default imageService: 'compile', the generated image optimization endpoint doesn't check the URLs it receives, allowing content from unauthorized third-party domains to be served. a A bug in impacted versions of the @astrojs/cloudflare adapter for deployment on Cloudflare’s infrastructure, allows an attacker to bypass the third-party domain restrictions and serve any content from the vulnerable origin. This issue is fixed in version 12.6.6. | ||||
| CVE-2025-58829 | 2025-09-05 | 4.9 Medium | ||
| Server-Side Request Forgery (SSRF) vulnerability in aitool Ai Auto Tool Content Writing Assistant (Gemini Writer, ChatGPT ) All in One allows Server Side Request Forgery. This issue affects Ai Auto Tool Content Writing Assistant (Gemini Writer, ChatGPT ) All in One: from n/a through 2.2.6. | ||||
| CVE-2025-3412 | 1 Aias | 1 Aias | 2025-09-04 | 6.3 Medium |
| A vulnerability, which was classified as critical, was found in mymagicpower AIAS 20250308. Affected is an unknown function of the file 2_training_platform/train-platform/src/main/java/top/aias/training/controller/InferController.java. The manipulation of the argument url leads to server-side request forgery. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-3411 | 1 Aias | 1 Aias | 2025-09-04 | 6.3 Medium |
| A vulnerability, which was classified as critical, has been found in mymagicpower AIAS 20250308. This issue affects some unknown processing of the file 3_api_platform/api-platform/src/main/java/top/aias/platform/controller/AsrController.java. The manipulation of the argument url leads to server-side request forgery. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||