Total
1913 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-29008 | 2025-06-06 | 4.9 Medium | ||
| Server-Side Request Forgery (SSRF) vulnerability in ShawonPro SocialMark allows Server Side Request Forgery. This issue affects SocialMark: from n/a through 2.0.7. | ||||
| CVE-2024-6155 | 1 Greenshiftwp | 1 Greenshift - Animation And Page Builder Blocks | 2025-06-05 | 6.4 Medium |
| The Greenshift – animation and page builder blocks plugin for WordPress is vulnerable to Authenticated (Subscriber+) Server-Side Request Forgery and Stored Cross Site Scripting in all versions up to, and including, 9.0.0 due to a missing capability check in the greenshift_download_file_localy function, along with no SSRF protection and sanitization on uploaded SVG files. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application that can also be leveraged to download malicious SVG files containing Cross-Site Scripting payloads to the server. On Cloud-based servers, attackers could retrieve the instance metadata. The issue was partially patched in version 8.9.9 and fully patched in version 9.0.1. | ||||
| CVE-2023-35817 | 1 Devexpress | 1 Devexpress | 2025-06-05 | 5 Medium |
| DevExpress before 23.1.3 allows AsyncDownloader SSRF. | ||||
| CVE-2023-46480 | 1 Owncast Project | 1 Owncast | 2025-06-05 | 9.8 Critical |
| An issue in OwnCast v.0.1.1 allows a remote attacker to execute arbitrary code and obtain sensitive information via the authHost parameter of the indieauth function. | ||||
| CVE-2023-49094 | 1 Sentry | 1 Symbolicator | 2025-06-05 | 4.3 Medium |
| Symbolicator is a symbolication service for native stacktraces and minidumps with symbol server support. An attacker could make Symbolicator send arbitrary GET HTTP requests to internal IP addresses by using a specially crafted HTTP endpoint. The response could be reflected to the attacker if they have an account on Sentry instance. The issue has been fixed in the release 23.11.2. | ||||
| CVE-2024-48907 | 1 Sematell | 1 Replyone | 2025-06-04 | 7.5 High |
| Sematell ReplyOne 7.4.3.0 allows SSRF via the application server API. | ||||
| CVE-2025-48962 | 2025-06-04 | N/A | ||
| Sensitive information disclosure due to SSRF. The following products are affected: Acronis Cyber Protect 16 (Windows, Linux) before build 39938. | ||||
| CVE-2022-2912 | 1 Craw-data Project | 1 Craw-data | 2025-06-03 | 4.3 Medium |
| The Craw Data WordPress plugin through 1.0.0 does not implement nonce checks, which could allow attackers to make a logged in admin change the url value performing unwanted crawls on third-party sites (SSRF). | ||||
| CVE-2024-0946 | 1 60indexpage Project | 1 60indexpage | 2025-06-03 | 7.3 High |
| A vulnerability classified as critical was found in 60IndexPage up to 1.8.5. This vulnerability affects unknown code of the file /apply/index.php of the component Parameter Handler. The manipulation of the argument url leads to server-side request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-252190 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2023-49471 | 1 Barassistant | 1 Bar Assistant | 2025-06-03 | 8.8 High |
| Blind Server-Side Request Forgery (SSRF) vulnerability in karlomikus Bar Assistant before version 3.2.0 does not validate a parameter before making a request through Image::make(), which could allow authenticated remote attackers to execute arbitrary code. | ||||
| CVE-2024-0304 | 1 Youke365 | 1 Youke 365 | 2025-06-03 | 6.3 Medium |
| A vulnerability has been found in Youke365 up to 1.5.3 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /app/api/controller/collect.php. The manipulation of the argument url leads to server-side request forgery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-249871. | ||||
| CVE-2024-0308 | 1 Inis Project | 1 Inis | 2025-06-03 | 6.3 Medium |
| A vulnerability was found in Inis up to 2.0.1. It has been rated as critical. This issue affects some unknown processing of the file app/api/controller/default/Proxy.php. The manipulation of the argument p_url leads to server-side request forgery. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-249875. | ||||
| CVE-2023-51804 | 1 Rymcu | 1 Forest | 2025-06-03 | 7.5 High |
| An issue in rymcu forest v.0.02 allows a remote attacker to obtain sensitive information via manipulation of the HTTP body URL in the com.rymcu.forest.web.api.common.UploadController file. | ||||
| CVE-2021-31531 | 1 Zohocorp | 1 Manageengine Servicedesk Plus Msp | 2025-05-30 | 9.8 Critical |
| Zoho ManageEngine ServiceDesk Plus MSP before 10521 is vulnerable to Server-Side Request Forgery (SSRF). | ||||
| CVE-2020-15594 | 1 Zohocorp | 1 Manageengine Application Control Plus | 2025-05-30 | 4.3 Medium |
| An SSRF issue was discovered in Zoho Application Control Plus before version 10.0.511. The mail gateway configuration feature allows an attacker to perform a scan in order to discover open ports on a machine as well as available machines on the network segment on which the instance of the product is deployed. | ||||
| CVE-2019-6970 | 1 Moodle | 1 Moodle | 2025-05-30 | N/A |
| Moodle 3.5.x before 3.5.4 allows SSRF. | ||||
| CVE-2019-6516 | 1 Wso2 | 1 Dashboard Server | 2025-05-30 | N/A |
| An issue was discovered in WSO2 Dashboard Server 2.0.0. It is possible to force the application to perform requests to the internal workstation (port-scanning) and to perform requests to adjacent workstations (network-scanning), aka SSRF. | ||||
| CVE-2019-6512 | 1 Wso2 | 1 Api Manager | 2025-05-30 | N/A |
| An issue was discovered in WSO2 API Manager 2.6.0. It is possible to force the application to perform requests to the internal workstation (SSRF port-scanning), other adjacent workstations (SSRF network scanning), or to enumerate files because of the existence of the file:// wrapper. | ||||
| CVE-2019-3905 | 1 Zohocorp | 1 Manageengine Adselfservice Plus | 2025-05-30 | N/A |
| Zoho ManageEngine ADSelfService Plus 5.x before build 5703 has SSRF. | ||||
| CVE-2024-23330 | 1 Tuta | 1 Tutanota | 2025-05-30 | 5.3 Medium |
| Tuta is an encrypted email service. In versions prior to 119.10, an attacker can attach an image in a html mail which is loaded from external resource in the default setting, which should prevent loading of external resources. When displaying emails containing external content, they should be loaded by default only after confirmation by the user. However, it could be recognized that certain embedded images (see PoC) are loaded, even though the "Automatic Reloading of Images" function is disabled by default. The reloading is also done unencrypted via HTTP and redirections are followed. This behavior is unexpected for the user, since the user assumes that external content will only be loaded after explicit manual confirmation. The loading of external content in e-mails represents a risk, because this makes the sender aware that the e-mail address is used, when the e-mail was read, which device is used and expose the user's IP address. Version 119.10 contains a patch for this issue. | ||||