Total
1671 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-22648 | 1 Seopanel | 1 Seo Panel | 2025-06-20 | 5.3 Medium |
| A Blind SSRF vulnerability exists in the "Crawl Meta Data" functionality of SEO Panel version 4.10.0. This makes it possible for remote attackers to scan ports in the local environment. | ||||
| CVE-2023-52331 | 1 Trendmicro | 1 Apex Central | 2025-06-20 | 7.1 High |
| A post-authenticated server-side request forgery (SSRF) vulnerability in Trend Micro Apex Central could allow an attacker to interact with internal or local services directly. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. | ||||
| CVE-2023-38627 | 1 Trendmicro | 1 Apex Central | 2025-06-20 | 5.4 Medium |
| A post-authenticated server-side request forgery (SSRF) vulnerability in Trend Micro Apex Central 2019 (lower than build 6481) could allow an attacker to interact with internal or local services directly. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. This is a similar, but not identical vulnerability as CVE-2023-38626. | ||||
| CVE-2023-38626 | 1 Trendmicro | 1 Apex Central | 2025-06-20 | 5.4 Medium |
| A post-authenticated server-side request forgery (SSRF) vulnerability in Trend Micro Apex Central 2019 (lower than build 6481) could allow an attacker to interact with internal or local services directly. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. This is a similar, but not identical vulnerability as CVE-2023-38625. | ||||
| CVE-2023-38625 | 1 Trendmicro | 1 Apex Central | 2025-06-20 | 5.4 Medium |
| A post-authenticated server-side request forgery (SSRF) vulnerability in Trend Micro Apex Central 2019 (lower than build 6481) could allow an attacker to interact with internal or local services directly. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. This is a similar, but not identical vulnerability as CVE-2023-38624. | ||||
| CVE-2023-38624 | 1 Trendmicro | 1 Apex Central | 2025-06-20 | 5.4 Medium |
| A post-authenticated server-side request forgery (SSRF) vulnerability in Trend Micro Apex Central 2019 (lower than build 6481) could allow an attacker to interact with internal or local services directly. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. This is a similar, but not identical vulnerability as CVE-2023-38625 through CVE-2023-38627. | ||||
| CVE-2024-37818 | 1 Strapi | 1 Strapi | 2025-06-20 | 8.6 High |
| Strapi v4.24.4 was discovered to contain a Server-Side Request Forgery (SSRF) via the component /strapi.io/_next/image. This vulnerability allows attackers to scan for open ports or access sensitive information via a crafted GET request. NOTE: The Strapi Development Community argues that this issue is not valid. They contend that "the strapi/admin was wrongly attributed a flaw that only pertains to the strapi.io website, and which, at the end of the day, does not pose any real SSRF risk to applications that make use of the Strapi library." | ||||
| CVE-2025-30678 | 1 Trendmicro | 1 Apex Central | 2025-06-20 | 6.5 Medium |
| A Server-side Request Forgery (SSRF) vulnerability in Trend Micro Apex Central (on-premise) modTMSM component could allow an attacker to manipulate certain parameters leading to information disclosure on affected installations. | ||||
| CVE-2025-30679 | 1 Trendmicro | 1 Apex Central | 2025-06-20 | 6.5 Medium |
| A Server-side Request Forgery (SSRF) vulnerability in Trend Micro Apex Central (on-premise) modOSCE component could allow an attacker to manipulate certain parameters leading to information disclosure on affected installations. | ||||
| CVE-2025-30680 | 1 Trendmicro | 1 Apex Central | 2025-06-20 | 7.5 High |
| A Server-side Request Forgery (SSRF) vulnerability in Trend Micro Apex Central (SaaS) could allow an attacker to manipulate certain parameters leading to information disclosure on affected installations. Please note: this vulnerability only affects the SaaS instance of Apex Central - customers that automatically apply Trend Micro's monthly maintenance releases to the SaaS instance do not have to take any further action. | ||||
| CVE-2025-45474 | 1 Maccms | 1 Maccms | 2025-06-19 | 7.3 High |
| maccms10 v2025.1000.4047 is vulnerable to Server-side request forgery (SSRF) in Email Settings. | ||||
| CVE-2023-51441 | 1 Apache | 1 Axis | 2025-06-18 | 7.2 High |
| ** UNSUPPORTED WHEN ASSIGNED ** Improper Input Validation vulnerability in Apache Axis allowed users with access to the admin service to perform possible SSRF This issue affects Apache Axis: through 1.3. As Axis 1 has been EOL we recommend you migrate to a different SOAP engine, such as Apache Axis 2/Java. Alternatively you could use a build of Axis with the patch from https://github.com/apache/axis-axis1-java/commit/685c309febc64aa393b2d64a05f90e7eb9f73e06 applied. The Apache Axis project does not expect to create an Axis 1.x release fixing this problem, though contributors that would like to work towards this are welcome. | ||||
| CVE-2023-42450 | 1 Joinmastodon | 1 Mastodon | 2025-06-18 | 5.4 Medium |
| Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 4.2.0-beta1 and prior to version 4.2.0-rc2, by crafting specific input, attackers can inject arbitrary data into HTTP requests issued by Mastodon. This can be used to perform confused deputy attacks if the server configuration includes `ALLOWED_PRIVATE_ADDRESSES` to allow access to local exploitable services. Version 4.2.0-rc2 has a patch for the issue. | ||||
| CVE-2025-29720 | 1 Langgenius | 1 Dify | 2025-06-18 | 4.8 Medium |
| Dify v1.0 was discovered to contain a Server-Side Request Forgery (SSRF) via the component controllers.console.remote_files.RemoteFileUploadApi. | ||||
| CVE-2023-47116 | 1 Humansignal | 1 Label Studio | 2025-06-17 | 5.3 Medium |
| Label Studio is a popular open source data labeling tool. The vulnerability affects all versions of Label Studio prior to 1.11.0 and was tested on version 1.8.2. Label Studio's SSRF protections that can be enabled by setting the `SSRF_PROTECTION_ENABLED` environment variable can be bypassed to access internal web servers. This is because the current SSRF validation is done by executing a single DNS lookup to verify that the IP address is not in an excluded subnet range. This protection can be bypassed by either using HTTP redirection or performing a DNS rebinding attack. | ||||
| CVE-2024-22205 | 1 Benbusby | 1 Whoogle Search | 2025-06-17 | 9.1 Critical |
| Whoogle Search is a self-hosted metasearch engine. In versions 0.8.3 and prior, the `window` endpoint does not sanitize user-supplied input from the `location` variable and passes it to the `send` method which sends a `GET` request on lines 339-343 in `request.py,` which leads to a server-side request forgery. This issue allows for crafting GET requests to internal and external resources on behalf of the server. For example, this issue would allow for accessing resources on the internal network that the server has access to, even though these resources may not be accessible on the internet. This issue is fixed in version 0.8.4. | ||||
| CVE-2024-0649 | 1 Zhiyun-tech | 1 Zhihuiyun | 2025-06-17 | 6.3 Medium |
| A vulnerability was found in ZhiHuiYun up to 4.4.13 and classified as critical. This issue affects the function download_network_image of the file /app/Http/Controllers/ImageController.php of the component Search. The manipulation of the argument url leads to server-side request forgery. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-251375. | ||||
| CVE-2024-22408 | 1 Shopware | 1 Shopware | 2025-06-17 | 7.6 High |
| Shopware is an open headless commerce platform. The implemented Flow Builder functionality in the Shopware application does not adequately validate the URL used when creating the “call webhook” action. This enables malicious users to perform web requests to internal hosts. This issue has been fixed in the Commercial Plugin release 6.5.7.4 or with the Security Plugin. For installations with Shopware 6.4 the Security plugin is recommended to be installed and up to date. For older versions of 6.4 and 6.5 corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version. | ||||
| CVE-2024-0601 | 1 Zhongfucheng3y | 1 Austin | 2025-06-17 | 6.3 Medium |
| A vulnerability was found in ZhongFuCheng3y Austin 1.0. It has been rated as critical. Affected by this issue is the function getRemoteUrl2File of the file src\main\java\com\java3y\austin\support\utils\AustinFileUtils.java of the component Email Message Template Handler. The manipulation leads to server-side request forgery. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-250838 is the identifier assigned to this vulnerability. | ||||
| CVE-2024-30125 | 1 Hcltech | 1 Bigfix Compliance | 2025-06-17 | 6.2 Medium |
| HCL BigFix Compliance server can respond with an HTTP status of 500, indicating a server-side error that may cause the server process to die. | ||||