Explore CVEs related to SSRF vulnerabilities, filtered by published year. This list is sorted by most recent disclosures first and supports filtering by CVSS and EPSS risk scores.
Includes the most recent vulnerability disclosures and trends, helping security teams quickly identify high-risk issues and exploitation likelihood.
You're viewing SSRF CVEs published in 2020. View full CVE list
| CVE | Description | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|
| CVE-2020-28735 | Plone before 5.2.3 allows SSRF attacks via the tracebacks feature (only available to the Manager role). | 8.8 | 0.48% | 2020-12-30 | 2024-11-21 |
| CVE-2020-35850 | An SSRF issue was discovered in cockpit-project.org Cockpit 234. NOTE: this is unrelated to the Agentejo Cockpit product. NOTE: the vendor states "I don't think [it] is a big real-life issue. | 6.5 | 0.45% | 2020-12-30 | 2024-11-21 |
| CVE-2020-26032 | An SSRF issue was discovered in Zammad before 3.4.1. The SMS configuration interface for Massenversand is implemented in a way that renders the result of a test request to the User. An attacker can use this to request any URL via a GET request from the network interface of the server. This may lead to disclosure of information from intranet systems. | 7.5 | 0.28% | 2020-12-28 | 2024-11-21 |
| CVE-2020-35712 | Esri ArcGIS Server before 10.8 is vulnerable to SSRF in some configurations. | 9.8 | 0.31% | 2020-12-26 | 2024-11-21 |
| CVE-2020-8464 | A vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 SP2 could allow an attacker to send requests that appear to come from the localhost which could expose the product's admin interface to users who would not normally have access. | 7.5 | 0.64% | 2020-12-17 | 2024-11-21 |
| CVE-2019-14476 | AdRem NetCrunch 10.6.0.4587 has a Server-Side Request Forgery (SSRF) vulnerability in the NetCrunch server. Every user can trick the server into performing SMB requests to other systems. | 6.5 | 0.22% | 2020-12-16 | 2024-11-21 |
| CVE-2020-26258 | XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.15, a Server-Side Forgery Request vulnerability can be activated when unmarshalling. The vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.15. The reported vulnerability does | 6.3 | 93.68% | 2020-12-16 | 2025-05-23 |
| CVE-2020-10770 | A flaw was found in Keycloak before 13.0.0, where it is possible to force the server to call out an unverified URL using the OIDC parameter request_uri. This flaw allows an attacker to use this parameter to execute a Server-side request forgery (SSRF) attack. | 5.3 | 92.28% | 2020-12-15 | 2024-11-21 |
| CVE-2020-17513 | In Apache Airflow versions prior to 1.10.13, the Charts and Query View of the old (Flask-admin based) UI were vulnerable for SSRF attack. | 5.3 | 2.14% | 2020-12-14 | 2024-11-21 |
| CVE-2020-24444 | AEM Forms SP6 add-on for AEM 6.5.6.0 and Forms add-on package for AEM 6.4 Service Pack 8 Cumulative Fix Pack 2 (6.4.8.2) have a blind Server-Side Request Forgery (SSRF) vulnerability. This vulnerability could be exploited by an unauthenticated attacker to gather information about internal systems that reside on the same network. | 5.8 | 0.63% | 2020-12-10 | 2024-11-21 |
| CVE-2020-28978 | The Canto plugin 1.3.0 for WordPress contains blind SSRF vulnerability. It allows an unauthenticated attacker can make a request to any internal and external server via /includes/lib/tree.php?subdomain=SSRF. | 5.3 | 10.41% | 2020-11-30 | 2024-11-21 |
| CVE-2020-28977 | The Canto plugin 1.3.0 for WordPress contains blind SSRF vulnerability. It allows an unauthenticated attacker can make a request to any internal and external server via /includes/lib/get.php?subdomain=SSRF. | 5.3 | 10.41% | 2020-11-30 | 2024-11-21 |
| CVE-2020-28976 | The Canto plugin 1.3.0 for WordPress contains a blind SSRF vulnerability. It allows an unauthenticated attacker can make a request to any internal and external server via /includes/lib/detail.php?subdomain=SSRF. | 5.3 | 42.19% | 2020-11-30 | 2024-11-21 |
| CVE-2020-24815 | A Server-Side Request Forgery (SSRF) affecting the PDF generation in MicroStrategy 10.4, 2019 before Update 6, and 2020 before Update 2 allows authenticated users to access the content of internal network resources or leak files from the local system via HTML containers embedded in a dossier/dashboard document. NOTE: 10.4., no fix will be released as version will reach end-of-life on 31/12/2020. | 6.5 | 7.54% | 2020-11-24 | 2024-11-21 |
| CVE-2020-28360 | Insufficient RegEx in private-ip npm package v1.0.5 and below insufficiently filters reserved IP ranges resulting in indeterminate SSRF. An attacker can perform a large range of requests to ARIN reserved IP ranges, resulting in an indeterminable number of critical attack vectors, allowing remote attackers to request server-side resources or potentially execute arbitrary code through various SSRF techniques. | 9.8 | 2.41% | 2020-11-23 | 2024-11-21 |
| CVE-2020-27626 | JetBrains YouTrack before 2020.3.5333 was vulnerable to SSRF. | 5.3 | 0.00% | 2020-11-16 | 2024-11-21 |
| CVE-2020-27624 | JetBrains YouTrack before 2020.3.888 was vulnerable to SSRF. | 5.3 | 0.00% | 2020-11-16 | 2024-11-21 |
| CVE-2019-17566 | Apache Batik is vulnerable to server-side request forgery, caused by improper input validation by the "xlink:href" attributes. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests. | 7.5 | 0.81% | 2020-11-12 | 2024-11-21 |
| CVE-2020-7329 | Server-side request forgery vulnerability in the ePO extension in McAfee MVISION Endpoint prior to 20.11 allows remote attackers trigger server-side DNS requests to arbitrary domains via carefully constructed XML files loaded by an ePO administrator. | 7.2 | 0.72% | 2020-11-11 | 2024-11-21 |
| CVE-2020-7328 | External entity attack vulnerability in the ePO extension in McAfee MVISION Endpoint prior to 20.11 allows remote attackers to gain control of a resource or trigger arbitrary code execution via improper input validation of an HTTP request, where the content for the attack has been loaded into ePO by an ePO administrator. | 7.2 | 1.50% | 2020-11-11 | 2024-11-21 |