Total
1836 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-1548 | 1 Iteachyou | 1 Dreamer Cms | 2025-04-04 | 3.5 Low |
| A vulnerability was found in iteachyou Dreamer CMS 4.1.3. It has been declared as problematic. This vulnerability affects unknown code of the file /admin/archives/edit. The manipulation of the argument editorValue/answer/content leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-12450 | 1 Infiniflow | 1 Ragflow | 2025-04-04 | 9.8 Critical |
| In infiniflow/ragflow versions 0.12.0, the `web_crawl` function in `document_app.py` contains multiple vulnerabilities. The function does not filter URL parameters, allowing attackers to exploit Full Read SSRF by accessing internal network addresses and viewing their content through the generated PDF files. Additionally, the lack of restrictions on the file protocol enables Arbitrary File Read, allowing attackers to read server files. Furthermore, the use of an outdated Chromium headless version with --no-sandbox mode enabled makes the application susceptible to Remote Code Execution (RCE) via known Chromium v8 vulnerabilities. These issues are resolved in version 0.14.0. | ||||
| CVE-2004-2061 | 1 Risearch | 2 Risearch, Risearch Pro | 2025-04-03 | 9.8 Critical |
| RiSearch 1.0.01 and RiSearch Pro 3.2.06 allows remote attackers to use the show.pl script as an open proxy, or read arbitrary local files, by setting the url parameter to a (1) http://, (2) ftp://, or (3) file:// URL. | ||||
| CVE-2002-1484 | 1 Siemens | 1 Db4web | 2025-04-03 | 9.8 Critical |
| DB4Web server, when configured to use verbose debug messages, allows remote attackers to use DB4Web as a proxy and attempt TCP connections to other systems (port scan) via a request for a URL that specifies the target IP address and port, which produces a connection status in the resulting error message. | ||||
| CVE-2024-35635 | 1 Wpmanageninja | 1 Ninja Tables | 2025-04-03 | 4.4 Medium |
| Server-Side Request Forgery (SSRF) vulnerability in WPManageNinja LLC Ninja Tables.This issue affects Ninja Tables: from n/a through 5.0.9. | ||||
| CVE-2024-32430 | 1 Activecampaign | 1 Activecampaign | 2025-04-02 | 4.4 Medium |
| Server-Side Request Forgery (SSRF) vulnerability in ActiveCampaign.This issue affects ActiveCampaign: from n/a through 8.1.14. | ||||
| CVE-2023-23560 | 1 Lexmark | 256 B2236, B2236 Firmware, B2338 and 253 more | 2025-04-02 | 9.8 Critical |
| In certain Lexmark products through 2023-01-12, SSRF can occur because of a lack of input validation. | ||||
| CVE-2021-43449 | 1 Onlyoffice | 1 Server | 2025-04-02 | 8.1 High |
| ONLYOFFICE all versions as of 2021-11-08 is vulnerable to Server-Side Request Forgery (SSRF). The document editor service can be abused to read and serve arbitrary URLs as a document. | ||||
| CVE-2024-13838 | 1 Uncannyowl | 1 Uncanny Automator | 2025-04-02 | 5.5 Medium |
| The Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 6.2 via the 'call_webhook' method of the Automator_Send_Webhook class This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. | ||||
| CVE-2024-11822 | 1 Dify | 1 Dify | 2025-04-01 | 7.5 High |
| langgenius/dify version 0.9.1 contains a Server-Side Request Forgery (SSRF) vulnerability. The vulnerability exists due to improper handling of the api_endpoint parameter, allowing an attacker to make direct requests to internal network services. This can lead to unauthorized access to internal servers and potentially expose sensitive information, including access to the AWS metadata endpoint. | ||||
| CVE-2024-12779 | 1 Infiniflow | 1 Ragflow | 2025-04-01 | 7.5 High |
| A Server-Side Request Forgery (SSRF) vulnerability exists in infiniflow/ragflow version 0.12.0. The vulnerability is present in the `POST /v1/llm/add_llm` and `POST /v1/conversation/tts` endpoints. Attackers can specify an arbitrary URL as the `api_base` when adding an `OPENAITTS` model, and subsequently access the `tts` REST API endpoint to read contents from the specified URL. This can lead to unauthorized access to internal web resources. | ||||
| CVE-2024-8952 | 1 Composio | 1 Composio | 2025-04-01 | 7.5 High |
| A Server-Side Request Forgery (SSRF) vulnerability exists in composiohq/composio version v0.4.2, specifically in the /api/actions/execute/WEBTOOL_SCRAPE_WEBSITE_CONTENT endpoint. This vulnerability allows an attacker to read files, access AWS metadata, and interact with local services on the system. | ||||
| CVE-2025-31527 | 2025-04-01 | 6.4 Medium | ||
| Server-Side Request Forgery (SSRF) vulnerability in Kishan WP Link Preview allows Server Side Request Forgery. This issue affects WP Link Preview: from n/a through 1.4.1. | ||||
| CVE-2025-31796 | 2025-04-01 | 5.4 Medium | ||
| Server-Side Request Forgery (SSRF) vulnerability in TheInnovs Team ElementsCSS Addons for Elementor allows Server Side Request Forgery. This issue affects ElementsCSS Addons for Elementor: from n/a through 1.0.8.7. | ||||
| CVE-2024-48590 | 1 Inflectra | 1 Spirateam | 2025-04-01 | 9.8 Critical |
| Inflectra SpiraTeam 7.2.00 is vulnerable to Server-Side Request Forgery (SSRF) via the NewsReaderService. This allows an attacker to escalate privileges and obtain sensitive information. | ||||
| CVE-2024-0677 | 1 Popozure | 1 Pz-linkcard | 2025-04-01 | 5.1 Medium |
| The Pz-LinkCard WordPress plugin through 2.5.1 does not prevent users from pinging arbitrary hosts via some of its shortcodes, which could allow high privilege users such as contributors to perform SSRF attacks. | ||||
| CVE-2022-46998 | 1 Taogogo | 1 Taocms | 2025-04-01 | 9.8 Critical |
| An issue in the website background of taocms v3.0.2 allows attackers to execute a Server-Side Request Forgery (SSRF). | ||||
| CVE-2025-2835 | 1 Zhyd | 1 Oneblog | 2025-04-01 | 4.3 Medium |
| A vulnerability was found in zhangyd-c OneBlog up to 2.3.9. It has been declared as problematic. Affected by this vulnerability is the function autoLink of the file com/zyd/blog/controller/RestApiController.java. The manipulation leads to server-side request forgery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2024-28668 | 1 Dedecms | 1 Dedecms | 2025-04-01 | 6.1 Medium |
| DedeCMS v5.7 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via the component /dede/mychannel_add.php | ||||
| CVE-2021-39339 | 1 Telefication | 1 Telefication | 2025-03-31 | 5.8 Medium |
| The Telefication WordPress plugin is vulnerable to Open Proxy and Server-Side Request Forgery via the ~/bypass.php file due to a user-supplied URL request value that gets called by a curl requests. This affects versions up to, and including, 1.8.0. | ||||