Total
1899 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-49545 | 1 Adobe | 1 Coldfusion | 2025-07-13 | 6.2 Medium |
| ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by a Server-Side Request Forgery (SSRF) vulnerability that could lead to arbitrary file system read. A high-privilege authenticated attacker can force the application to make arbitrary requests via injection of URLs. Exploitation of this issue does not require user interaction and scope is changed. The vulnerable component is restricted to internal IP addresses. | ||||
| CVE-2024-12121 | 1 Wordpress | 1 Wordpress | 2025-07-13 | 5.4 Medium |
| The Broken Link Checker | Finder plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in all versions up to, and including, 2.5.0 via the 'moblc_check_link' function. This makes it possible for authenticated attackers, with Author-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. | ||||
| CVE-2024-3448 | 1 Mautic | 1 Mautic | 2025-07-13 | 5 Medium |
| Users with low privileges can perform certain AJAX actions. In this vulnerability instance, improper access to ajax?action=plugin:focus:checkIframeAvailability leads to a Server-Side Request Forgery by analyzing the error messages returned from the back-end. Allowing an attacker to perform a port scan in the back-end. At the time of publication of the CVE no patch is available. | ||||
| CVE-2024-13940 | 1 Wordpress | 1 Wordpress | 2025-07-13 | 5.5 Medium |
| The Ninja Forms Webhooks plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.0.7 via the form webhook functionality. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. | ||||
| CVE-2025-32691 | 1 Wordpress | 1 Wordpress | 2025-07-13 | 4.9 Medium |
| Server-Side Request Forgery (SSRF) vulnerability in Angelo Mandato PowerPress Podcasting allows Server Side Request Forgery. This issue affects PowerPress Podcasting: from n/a through 11.12.4. | ||||
| CVE-2024-37208 | 1 Wordpress | 1 Wordpress | 2025-07-13 | 4.9 Medium |
| Server-Side Request Forgery (SSRF) vulnerability in Robert Macchi WP Scraper.This issue affects WP Scraper: from n/a through 5.7. | ||||
| CVE-2024-6922 | 1 Automationanywhere | 1 Automation 360 | 2025-07-13 | N/A |
| Automation Anywhere Automation 360 v21-v32 is vulnerable to Server-Side Request Forgery in a web API component. An attacker with unauthenticated access to the Automation 360 Control Room HTTPS service (port 443) or HTTP service (port 80) can trigger arbitrary web requests from the server. | ||||
| CVE-2024-13957 | 1 Abb | 3 Aspect Enterprise, Matrix Series, Nexus Series | 2025-07-13 | 7.6 High |
| SSRF Server Side Request Forgery vulnerabilities exist in ASPECT if administrator credentials become compromisedThis issue affects ASPECT-Enterprise: through 3.*; NEXUS Series: through 3.*; MATRIX Series: through 3.*. | ||||
| CVE-2025-46503 | 1 Wordpress | 1 Wordpress | 2025-07-13 | 4.9 Medium |
| Server-Side Request Forgery (SSRF) vulnerability in josheli Simple Google Photos Grid allows Server Side Request Forgery. This issue affects Simple Google Photos Grid: from n/a through 1.5. | ||||
| CVE-2024-54385 | 1 Softlab | 1 Radio Player | 2025-07-13 | 7.2 High |
| Server-Side Request Forgery (SSRF) vulnerability in SoftLab Radio Player allows Server Side Request Forgery.This issue affects Radio Player: from n/a through 2.0.82. | ||||
| CVE-2024-30531 | 1 Wordpress | 1 Wordpress | 2025-07-13 | 4.9 Medium |
| Server-Side Request Forgery (SSRF) vulnerability in Nelio Software Nelio Content.This issue affects Nelio Content: from n/a through 3.2.0. | ||||
| CVE-2024-27775 | 1 Sysaid | 1 Sysaid | 2025-07-13 | 7.2 High |
| SysAid before version 23.2.14 b18 - CWE-918: Server-Side Request Forgery (SSRF) may allow exposing the local OS user's NTLMv2 hash | ||||
| CVE-2024-4894 | 1 Itpison | 1 Omicard Edm | 2025-07-13 | 5.3 Medium |
| ITPison OMICARD EDM fails to properly filter specific URL parameter, allowing unauthenticated remote attackers to modify the parameters and conduct Server-Side Request Forgery (SSRF) attacks. This vulnerability enables attackers to probe internal network information. | ||||
| CVE-2025-23221 | 1 Dahlia | 1 Fedify | 2025-07-13 | 5.4 Medium |
| Fedify is a TypeScript library for building federated server apps powered by ActivityPub and other standards. This vulnerability allows a user to maneuver the Webfinger mechanism to perform a GET request to any internal resource on any Host, Port, URL combination regardless of present security mechanisms, and forcing the victim’s server into an infinite loop causing Denial of Service. Moreover, this issue can also be maneuvered into performing a Blind SSRF attack. This vulnerability is fixed in 1.0.14, 1.1.11, 1.2.11, and 1.3.4. | ||||
| CVE-2024-13856 | 1 Wordpress | 1 Wordpress | 2025-07-12 | 6.4 Medium |
| The Your Friendly Drag and Drop Page Builder — Make Builder plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.1.10 via the make_builder_ajax_subscribe() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. | ||||
| CVE-2024-41664 | 1 Thinkst | 1 Canarytokens | 2025-07-12 | 5.4 Medium |
| Canarytokens help track activity and actions on a network. Prior to `sha-8ea5315`, Canarytokens.org was vulnerable to a blind SSRF in the Webhook alert feature. When a Canarytoken is created, users choose to receive alerts either via email or via a webhook. If a webhook is supplied when a Canarytoken is first created, the site will make a test request to the supplied URL to ensure it accepts alert notification HTTP requests. No safety checks were performed on the URL, leading to a Server-Side Request Forgery vulnerability. The SSRF is Blind because the content of the response is not displayed to the creating user; they are simply told whether an error occurred in making the test request. Using the Blind SSRF, it was possible to map out open ports for IPs inside the Canarytokens.org infrastructure. This issue is now patched on Canarytokens.org. Users of self-hosted Canarytokens installations can update by pulling the latest Docker image, or any Docker image after `sha-097d91a`. | ||||
| CVE-2024-33592 | 2 Softlab, Wordpress | 2 Radio Player, Wordpress | 2025-07-12 | 5.4 Medium |
| Server-Side Request Forgery (SSRF) vulnerability in SoftLab Radio Player.This issue affects Radio Player: from n/a through 2.0.73. | ||||
| CVE-2025-30914 | 1 Wordpress | 1 Wordpress | 2025-07-12 | 4.4 Medium |
| Server-Side Request Forgery (SSRF) vulnerability in XpeedStudio Metform allows Server Side Request Forgery. This issue affects Metform: from n/a through 3.9.2. | ||||
| CVE-2024-39637 | 1 Wordpress | 1 Wordpress | 2025-07-12 | 5.4 Medium |
| Server Side Request Forgery (SSRF) vulnerability in Pixelcurve Edubin edubin.This issue affects Edubin: from n/a through 9.2.0. | ||||
| CVE-2024-33627 | 1 Cusmin | 1 Absolutely Glamorous Custom Admin | 2025-07-12 | 4.4 Medium |
| Server-Side Request Forgery (SSRF) vulnerability in Cusmin Absolutely Glamorous Custom Admin.This issue affects Absolutely Glamorous Custom Admin: from n/a through 7.2.2. | ||||