Explore CVEs related to SSRF vulnerabilities, filtered by published year. This list is sorted by most recent disclosures first and supports filtering by CVSS and EPSS risk scores.
Includes the most recent vulnerability disclosures and trends, helping security teams quickly identify high-risk issues and exploitation likelihood.
You're viewing SSRF CVEs published in 2019. View full CVE list
| CVE | Description | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|
| CVE-2018-20499 | An issue was discovered in GitLab Community and Enterprise Edition before 11.x before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It allows SSRF. | 7.2 | 0.09% | 2019-12-30 | 2024-11-21 |
| CVE-2018-20497 | An issue was discovered in GitLab Community and Enterprise Edition before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It allows SSRF. | 5.0 | 0.05% | 2019-12-30 | 2024-11-21 |
| CVE-2019-20055 | LuquidPixels LiquiFire OS 4.8.0 allows SSRF via the call%3Durl substring followed by a URL in square brackets. | 6.5 | 0.29% | 2019-12-29 | 2024-11-21 |
| CVE-2019-19999 | Halo before 1.2.0-beta.1 allows Server Side Template Injection (SSTI) because TemplateClassResolver.SAFER_RESOLVER is not used in the FreeMarker configuration. | 7.2 | 0.44% | 2019-12-26 | 2024-11-21 |
| CVE-2019-3996 | ELOG 3.1.4-57bea22 and below can be used as an HTTP GET request proxy when unauthenticated remote attackers send crafted HTTP POST requests. | 6.5 | 3.50% | 2019-12-17 | 2024-11-21 |
| CVE-2019-18379 | Symantec Messaging Gateway, prior to 10.7.3, may be susceptible to a server-side request forgery (SSRF) exploit, which is a type of issue that can let an attacker send crafted requests from the backend server of a vulnerable web application or access services available through the loopback interface. | 7.3 | 0.93% | 2019-12-11 | 2024-11-21 |
| CVE-2019-16948 | An SSRF issue was discovered in Enghouse Web Chat 6.1.300.31. In any POST request, one can replace the port number at WebServiceLocation=http://localhost:8085/UCWebServices/ with a range of ports to determine what is visible on the internal network (as opposed to what general web traffic would see on the product's host). The response from open ports is different than from closed ports. The product does not allow one to change the protocol: anything except http(s) will throw an error; however, it | 9.8 | 0.36% | 2019-11-13 | 2024-11-21 |
| CVE-2019-8156 | A server-side request forgery (SSRF) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with admin privileges to modify store configurations can manipulate the connector api endpoint to enable remote code execution. | 7.2 | 1.10% | 2019-11-06 | 2024-11-21 |
| CVE-2019-8151 | A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with admin privileges to manipulate shippment settings can execute arbitrary code through server-side request forgery due to unsafe handling of a carrier gateway. | 7.2 | 1.10% | 2019-11-06 | 2024-11-21 |
| CVE-2019-18394 | A Server Side Request Forgery (SSRF) vulnerability in FaviconServlet.java in Ignite Realtime Openfire through 4.4.2 allows attackers to send arbitrary HTTP GET requests. | 9.8 | 93.27% | 2019-10-24 | 2024-11-21 |
| CVE-2019-18355 | An SSRF issue was discovered in the legacy Web launcher in Thycotic Secret Server before 10.7. | 9.8 | 0.42% | 2019-10-23 | 2024-11-21 |
| CVE-2019-17400 | The unoconv package before 0.9 mishandles untrusted pathnames, leading to SSRF and local file inclusion. | 7.5 | 0.44% | 2019-10-21 | 2024-11-21 |
| CVE-2019-17670 | WordPress before 5.2.4 has a Server Side Request Forgery (SSRF) vulnerability because Windows paths are mishandled during certain validation of relative URLs. | 9.8 | 5.54% | 2019-10-17 | 2024-11-21 |
| CVE-2019-17669 | WordPress before 5.2.4 has a Server Side Request Forgery (SSRF) vulnerability because URL validation does not consider the interpretation of a name as a series of hex characters. | 9.8 | 8.38% | 2019-10-17 | 2024-11-21 |
| CVE-2019-14225 | OX App Suite 7.10.1 and 7.10.2 allows SSRF. | 5.4 | 0.22% | 2019-10-14 | 2024-11-21 |
| CVE-2017-18638 | send_email in graphite-web/webapp/graphite/composer/views.py in Graphite through 1.1.5 is vulnerable to SSRF. The vulnerable SSRF endpoint can be used by an attacker to have the Graphite web server request any resource. The response to this SSRF request is encoded into an image file and then sent to an e-mail address that can be supplied by the attacker. Thus, an attacker can exfiltrate any information. | 7.5 | 91.62% | 2019-10-11 | 2024-11-21 |
| CVE-2019-15021 | A security vulnerability exists in the Zingbox Inspector versions 1.294 and earlier, that can allow an attacker to easily identify instances of Zingbox Inspectors in a local area network. | 5.3 | 0.21% | 2019-10-09 | 2024-11-21 |
| CVE-2019-15164 | rpcapd/daemon.c in libpcap before 1.9.1 allows SSRF because a URL may be provided as a capture source. | 5.3 | 1.88% | 2019-10-03 | 2024-11-21 |
| CVE-2019-13335 | SalesAgility SuiteCRM 7.10.x 7.10.19 and 7.11.x before and 7.11.7 has SSRF. | 9.8 | 0.59% | 2019-10-02 | 2024-11-21 |
| CVE-2019-16932 | A blind SSRF vulnerability exists in the Visualizer plugin before 3.3.1 for WordPress via wp-json/visualizer/v1/upload-data. | 10.0 | 80.84% | 2019-09-30 | 2024-11-21 |