Total
1884 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-65513 | 2025-12-11 | 7.5 High | ||
| fetch-mcp v1.0.2 and before is vulnerable to Server-Side Request Forgery (SSRF) vulnerability, which allows attackers to bypass private IP validation and access internal network resources. | ||||
| CVE-2025-59503 | 1 Microsoft | 2 Azure, Azure Compute Resource Provider | 2025-12-11 | 10 Critical |
| Server-side request forgery (ssrf) in Azure Compute Gallery allows an unauthorized attacker to elevate privileges over a network. | ||||
| CVE-2020-36884 | 2025-12-11 | N/A | ||
| BrightSign Digital Signage Diagnostic Web Server 8.2.26 and less contains an unauthenticated server-side request forgery vulnerability in the 'url' GET parameter of the Download Speed Test service. Attackers can specify external domains to bypass firewalls and perform network enumeration by forcing the application to make arbitrary HTTP requests to internal network hosts. | ||||
| CVE-2025-11467 | 2 Themeisle, Wordpress | 2 Rss Aggregator By Feedzy, Wordpress | 2025-12-11 | 5.8 Medium |
| The RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in all versions up to, and including, 5.1.1 via the feedzy_lazy_load function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. | ||||
| CVE-2025-14518 | 2025-12-11 | 6.3 Medium | ||
| A vulnerability was identified in PowerJob up to 5.1.2. This vulnerability affects the function checkConnectivity of the file src/main/java/tech/powerjob/common/utils/net/PingPongUtils.java of the component Network Request Handler. The manipulation of the argument targetIp/targetPort leads to server-side request forgery. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. | ||||
| CVE-2025-62207 | 1 Microsoft | 1 Azure Monitor Control Service | 2025-12-11 | 8.6 High |
| Azure Monitor Elevation of Privilege Vulnerability | ||||
| CVE-2025-14516 | 2025-12-11 | 6.3 Medium | ||
| A vulnerability was found in Yalantis uCrop 2.2.11. Affected by this issue is the function downloadFile of the file com.yalantis.ucrop.task.BitmapLoadTask.java of the component URL Handler. Performing manipulation results in server-side request forgery. The attack may be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-12832 | 1 Ibm | 1 Infosphere Information Server | 2025-12-10 | 4.6 Medium |
| IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. | ||||
| CVE-2021-47703 | 1 Openbmcs | 1 Openbmcs | 2025-12-10 | N/A |
| OpenBMCS 2.4 contains an unauthenticated SSRF vulnerability that allows attackers to bypass firewalls and initiate service and network enumeration on the internal network through the affected application, allowing hijacking of current sessions. Attackers can specify an external domain in the 'ip' parameter to force the application to make an HTTP request to an arbitrary destination host. | ||||
| CVE-2025-63010 | 1 Wordpress | 1 Wordpress | 2025-12-10 | 4.8 Medium |
| Server-Side Request Forgery (SSRF) vulnerability in ThemesInflow Hercules Core hercules-core allows Server Side Request Forgery.This issue affects Hercules Core : from n/a through <= 7.4. | ||||
| CVE-2025-67494 | 1 Zitadel | 1 Zitadel | 2025-12-10 | 9.3 Critical |
| ZITADEL is an open-source identity infrastructure tool. Versions 4.7.0 and below are vulnerable to an unauthenticated, full-read SSRF vulnerability. The ZITADEL Login UI (V2) treats the x-zitadel-forward-host header as a trusted fallback for all deployments, including self-hosted instances. This allows an unauthenticated attacker to force the server to make HTTP requests to arbitrary domains, such as internal addresses, and read the responses, enabling data exfiltration and bypassing network-segmentation controls. This issue is fixed in version 4.7.1. | ||||
| CVE-2025-65958 | 2 Open-webui, Openwebui | 2 Open-webui, Open Webui | 2025-12-10 | 8.5 High |
| Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.37, a Server-Side Request Forgery (SSRF) vulnerability in Open WebUI allows any authenticated user to force the server to make HTTP requests to arbitrary URLs. This can be exploited to access cloud metadata endpoints (AWS/GCP/Azure), scan internal networks, access internal services behind firewalls, and exfiltrate sensitive information. No special permissions beyond basic authentication are required. This vulnerability is fixed in 0.6.37. | ||||
| CVE-2024-32987 | 1 Microsoft | 1 Sharepoint Server | 2025-12-09 | 7.5 High |
| Microsoft SharePoint Server Information Disclosure Vulnerability | ||||
| CVE-2025-59088 | 1 Redhat | 8 Enterprise Linux, Enterprise Linux Eus, Rhel Aus and 5 more | 2025-12-09 | 8.6 High |
| If kdcproxy receives a request for a realm which does not have server addresses defined in its configuration, by default, it will query SRV records in the DNS zone matching the requested realm name. This creates a server-side request forgery vulnerability, since an attacker could send a request for a realm matching a DNS zone where they created SRV records pointing to arbitrary ports and hostnames (which may resolve to loopback or internal IP addresses). This vulnerability can be exploited to probe internal network topology and firewall rules, perform port scanning, and exfiltrate data. Deployments where the "use_dns" setting is explicitly set to false are not affected. | ||||
| CVE-2025-60319 | 1 Perfree | 1 Perfreeblog | 2025-12-09 | 6.5 Medium |
| PerfreeBlog v4.0.11 is vulnerable to Server-Side Request Forgery due to a missing authorization check in the uploadAttachByUrl API endpoint (AttachController.java). | ||||
| CVE-2025-26487 | 1 Infinera | 1 Mtc-9 | 2025-12-09 | 8.6 High |
| Server-Side Request Forgery (SSRF) vulnerability in Infinera MTC-9 version allows remote unauthenticated users to gain access to other network resources using HTTPS requests through the appliance used as a bridge. | ||||
| CVE-2025-14116 | 1 Yuxi-know Project | 1 Yuxi-know | 2025-12-08 | 4.7 Medium |
| A vulnerability was detected in xerrors Yuxi-Know up to 0.4.0. This vulnerability affects the function OtherEmbedding.aencode of the file /src/models/embed.py. Performing manipulation of the argument health_url results in server-side request forgery. The attack can be initiated remotely. The exploit is now public and may be used. The patch is named 0ff771dc1933d5a6b78f804115e78a7d8625c3f3. To fix this issue, it is recommended to deploy a patch. The vendor responded with a vulnerability confirmation and a list of security measures they have established already (e.g. disabled URL parsing, disabled URL upload mode, removed URL-to-markdown conversion). | ||||
| CVE-2025-62763 | 1 Zimbra | 1 Collaboration | 2025-12-08 | 5 Medium |
| Zimbra Collaboration (ZCS) before 10.1.12 allows SSRF because of the configuration of the chat proxy. | ||||
| CVE-2025-14004 | 1 Xunruicms | 1 Xunruicms | 2025-12-08 | 4.7 Medium |
| A security flaw has been discovered in dayrui XunRuiCMS up to 4.7.1. Affected is an unknown function of the file /admind45f74adbd95.php?c=email&m=add of the component Email Setting Handler. Performing manipulation results in server-side request forgery. Remote exploitation of the attack is possible. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-22399 | 1 Dell | 1 Utility Configuration Collector Edge | 2025-12-06 | 7.9 High |
| Dell UCC Edge, version 2.3.0, contains a Blind SSRF on Add Customer SFTP Server vulnerability. An unauthenticated attacker with local access could potentially exploit this vulnerability, leading to Server-side request forgery | ||||