CVE-2025-53344

Cross-Site Request Forgery CSRF vulnerability in ThimPress Thim Core allows Cross Site Request Forgery.This issue affects Thim Core: from n/a through 2.3.3...

CVE-2020-36918 iDS6 DSSPro Digital Signage System 6.2 Cross-Site Request Forgery via User Management

iDS6 DSSPro Digital Signage System 6.2 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without request validation. Attackers can craft malicious web pages to trick logged-in administrators into adding unauthorized users by exploiting the...

CVE-2020-36906 P5 FNIP-8x16A FNIP-4xSH 1.0.20 Cross-Site Request Forgery via User Management

P5 FNIP-8x16A FNIP-4xSH 1.0.20 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without user consent. Attackers can craft malicious web pages to add new admin users, change passwords, and modify system configurations by tricking...

WordPress Xagio SEO plugin <= 7.1.0.30 - Authenticated (Subscriber+) Server-Side Request Forgery vulnerability

Authenticated Subscriber+ Server-Side Request Forgery vulnerability discovered by Jack Taylor in WordPress Plugin Xagio SEO versions = 7.1.0.30...

SUSE CVE-2025-67494

ZITADEL is an open-source identity infrastructure tool. Versions 4.7.0 and below are vulnerable to an unauthenticated, full-read SSRF vulnerability. The ZITADEL Login UI V2 treats the x-zitadel-forward-host header as a trusted fallback for all deployments, including self-hosted instances. This...

SnapGear Management Console SG560 跨站请求伪造漏洞

SnapGear Management Console SG560 is a versatile network security gateway from SnapGear. The SnapGear Management Console SG560 suffers from a cross-site request forgery vulnerability that stems from susceptibility to a cross-site request forgery attack that could result in the creation of a new...

PT-2026-1411

Name of the Vulnerable Software and Affected Versions Xagio SEO – AI Powered SEO plugin for WordPress versions through 7.1.0.30 Description The Xagio SEO – AI Powered SEO plugin for WordPress is susceptible to a Server-Side Request Forgery issue. This allows authenticated attackers with...

PT-2026-2106

Name of the Vulnerable Software and Affected Versions Mailpit versions 1.28.0 and below Description Mailpit is an email testing tool and API for developers. A Server-Side Request Forgery SSRF exists in the /proxy endpoint, allowing attackers to make requests to internal network resources. The...

EUVD-2025-206237

Spinnaker vulnerable to SSRF due to improper restrictions on http from user input...

Server-side Request Forgery (SSRF)

Overview io.spinnaker.orca:orca-clouddriver is a Spinnaker Orca Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via improper restrictions on user-supplied URLs when fetching data. An attacker can access internal resources, extract sensitive authentication data...

Spinnaker vulnerable to SSRF due to improper restrictions on http from user input

Impact The primary impact is allowing users to fetch data from a remote URL. This data can be then injected into Spinnaker pipelines via helm or other methods to extract things LIKE idmsv1 authentication data. This ALSO includes calling INTERNAL Spinnaker API's via a get and similar endpoints...

CVE-2025-61916

Spinnaker is an open source, multi-cloud continuous delivery platform. Versions prior to 2025.1.6, 2025.2.3, and 2025.3.0 are vulnerable to server-side request forgery. The primary impact is allowing users to fetch data from a remote URL. This data can be then injected into spinnaker pipelines vi...

CVE-2025-68437

CVE-2025-68437 affects Craft CMS via SSRF in the GraphQL mutation save__Asset , caused by insufficient validation of the _file.url parameter. Affected versions are 5.0.0-RC1–5.8.20 and 4.0.0-RC1–4.16.16 . An attacker with asset-management permissions can supply a URL pointing to internal IPs or c...

CVE-2025-68437 Craft CMS vulnerable to Server-Side Request Forgery (SSRF) via GraphQL Asset Upload Mutation

Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16, the Craft CMS GraphQL saveAsset mutation is vulnerable to Server-Side Request Forgery SSRF. This vulnerability arises because the file input, specifically its url parameter,...

Server-side Request Forgery (SSRF)

Overview @evershop/evershop is a The React Ecommerce platform. Built with React and Postgres. Open-source and free. Fast and customizable. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the GET /images API endpoint. An attacker can cause the server to...

GHSA-VP8W-WJ4M-3R7J evershop allows unauthenticated attackers to force server to initiate HTTP request via "GET /images" API

A Blind Server-Side Request Forgery SSRF vulnerability in evershop 2.1.0 and prior allows unauthenticated attackers to force the server to initiate an HTTP request via the "GET /images" API. The vulnerability occurs due to insufficient validation of the "src" query parameter, which permits...

evershop allows unauthenticated attackers to force server to initiate HTTP request via "GET /images" API

A Blind Server-Side Request Forgery SSRF vulnerability in evershop 2.1.0 and prior allows unauthenticated attackers to force the server to initiate an HTTP request via the "GET /images" API. The vulnerability occurs due to insufficient validation of the "src" query parameter, which permits...

CVE-2025-61916 Spinnaker vulnerable to SSRF due to improper restrictions on http from user input

Spinnaker is an open source, multi-cloud continuous delivery platform. Versions prior to 2025.1.6, 2025.2.3, and 2025.3.0 are vulnerable to server-side request forgery. The primary impact is allowing users to fetch data from a remote URL. This data can be then injected into spinnaker pipelines vi...

GHSA-X27P-WFQW-HFCC Craft CMS vulnerable to Server-Side Request Forgery (SSRF) via GraphQL Asset Upload Mutation

The Craft CMS GraphQL saveAsset mutation is vulnerable to Server-Side Request Forgery SSRF. This vulnerability arises because the file input, specifically its url parameter, allows the server to fetch content from arbitrary remote locations without proper validation. Attackers can exploit this by...

CVE-2025-67315

Cross Site Request Forgery vulnerability in Employee Leave Management System v.2.1 allows a remote attacker to escalate privileges via the manage-employee.php component...