Explore CVEs related to SSRF vulnerabilities, filtered by published year. This list is sorted by most recent disclosures first and supports filtering by CVSS and EPSS risk scores.
Includes the most recent vulnerability disclosures and trends, helping security teams quickly identify high-risk issues and exploitation likelihood.
You're viewing SSRF CVEs published in 2024. View full CVE list
| CVE | Description | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|
| CVE-2024-56800 | Firecrawl is a web scraper that allows users to extract the content of a webpage for a large language model. Versions prior to 1.1.1 contain a server-side request forgery (SSRF) vulnerability. The scraping engine could be exploited by crafting a malicious site that redirects to a local IP address. This allowed exfiltration of local network resources through the API. The cloud service was patched on December 27th, 2024, and the maintainers have checked that no user data was exposed by this vulner | 7.4 | 0.34% | 2024-12-30 | 2026-06-17 |
| CVE-2024-10044 | A Server-Side Request Forgery (SSRF) vulnerability exists in the POST /worker_generate_stream API endpoint of the Controller API Server in lm-sys/fastchat, as of commit e208d5677c6837d590b81cb03847c0b9de100765. This vulnerability allows attackers to exploit the victim controller API server's credentials to perform unauthorized web actions or access unauthorized web resources by combining it with the POST /register_worker endpoint. | 9.3 | 0.50% | 2024-12-30 | 2026-06-17 |
| CVE-2024-13032 | A vulnerability classified as problematic was found in Antabot White-Jotter up to 0.2.2. Affected by this vulnerability is an unknown functionality of the file /admin/content/editor of the component Article Editor. The manipulation of the argument articleCover leads to server-side request forgery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 5.1 | 0.51% | 2024-12-29 | 2026-06-17 |
| CVE-2024-13029 | A vulnerability, which was classified as problematic, was found in Antabot White-Jotter up to 0.2.2. Affected is an unknown function of the file /admin/content/book of the component Edit Book Handler. The manipulation leads to server-side request forgery. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 5.3 | 0.50% | 2024-12-29 | 2026-06-17 |
| CVE-2024-50714 | A Server-Side Request Forgery (SSRF) in smarts-srl.com Smart Agent v.1.1.0 allows a remote attacker to obtain sensitive information via a crafted script to the /FB/getFbVideoSource.php component. | 7.5 | 0.56% | 2024-12-27 | 2026-06-17 |
| CVE-2024-12989 | A vulnerability was found in WISI Tangram GT31 up to 20241214 and classified as problematic. Affected by this issue is some unknown functionality of the component HTTP Request Handler. The manipulation leads to server-side request forgery. The attack may be launched remotely. The vendor was contacted early about this disclosure but did not respond in any way. | 6.9 | 0.43% | 2024-12-27 | 2026-06-17 |
| CVE-2024-10903 | The Broken Link Checker WordPress plugin before 2.4.2 does not validate a the link URLs before making a request to them, which could allow admin users to perform SSRF attack, for example on a multisite installation. | 4.7 | 0.34% | 2024-12-26 | 2026-06-17 |
| CVE-2024-51463 | IBM i 7.3, 7.4, and 7.5 is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. | 5.4 | 0.84% | 2024-12-21 | 2026-06-17 |
| CVE-2024-12867 | Server-Side Request Forgery in URL Mapper in Arctic Security's Arctic Hub versions 3.0.1764-5.6.1877 allows an unauthenticated remote attacker to exfiltrate and modify configurations and data. | 8.8 | 0.47% | 2024-12-20 | 2026-06-17 |
| CVE-2024-49336 | IBM Security Guardium 11.5 and 12.0 is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. | 6.5 | 0.21% | 2024-12-19 | 2026-06-17 |
| CVE-2024-12801 | Server-Side Request Forgery (SSRF) in SaxEventRecorder by QOS.CH logback version 0.1 to 1.3.14 and 1.4.0 to 1.5.12 on the Java platform, allows an attacker to forge requests by compromising logback configuration files in XML. The attacks involves the modification of DOCTYPE declaration in XML configuration files. | 2.4 | 0.22% | 2024-12-19 | 2026-06-17 |
| CVE-2024-55082 | A Server-Side Request Forgery (SSRF) in the endpoint http://{your-server}/url-to-pdf of Stirling-PDF 0.35.1 allows attackers to access sensitive information via a crafted request. | 7.5 | 0.45% | 2024-12-19 | 2026-06-17 |
| CVE-2024-12121 | The Broken Link Checker | Finder plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in all versions up to, and including, 2.5.0 via the 'moblc_check_link' function. This makes it possible for authenticated attackers, with Author-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. | 5.4 | 0.26% | 2024-12-18 | 2026-06-17 |
| CVE-2024-52579 | Misskey is an open source, federated social media platform. Some APIs using `HttpRequestService` do not properly check the target host. This vulnerability allows an attacker to send POST or GET requests to the internal server, which may result in a SSRF attack.It allows an attacker to send POST or GET requests (with some controllable URL parameters) to private IPs, enabling further attacks on internal servers. This issue has been addressed in version 2024.11.0-alpha.3. Users are advised to upgra | 6.4 | 0.17% | 2024-12-18 | 2026-06-17 |
| CVE-2024-55089 | Rhymix before 2.1.24 is vulnerable to Server-Side Request Forgery (SSRF) in the background import data function because XML documents may contain external entities. | 4.1 | 0.20% | 2024-12-18 | 2026-06-17 |
| CVE-2024-55086 | In the GetSimple CMS CE 3.3.19 management page, Server-Side Request Forgery (SSRF) can be achieved in the plug-in download address in the backend management system. | 7.2 | 0.39% | 2024-12-18 | 2026-06-17 |
| CVE-2024-9624 | The WP All Import Pro plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 4.9.3 due to missing SSRF protection on the pmxi_curl_download function. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. On cloud platforms, it might allow attackers to read | 7.6 | 0.41% | 2024-12-17 | 2026-06-17 |
| CVE-2024-54385 | Server-Side Request Forgery (SSRF) vulnerability in princeahmed Radio Player radio-player allows Server Side Request Forgery.This issue affects Radio Player: from n/a through <= 2.0.83. | 7.2 | 5.11% | 2024-12-16 | 2026-06-17 |
| CVE-2024-54330 | Server-Side Request Forgery (SSRF) vulnerability in hurraki Hurrakify hurrakify allows Server Side Request Forgery.This issue affects Hurrakify: from n/a through <= 2.4. | 7.2 | 1.43% | 2024-12-13 | 2026-06-17 |
| CVE-2024-11836 | Server-Side Request Forgery (SSRF) vulnerability in PlexTrac allowing requests to internal system resources.This issue affects PlexTrac: from 1.61.3 before 2.8.1. | 8.6 | 0.27% | 2024-12-13 | 2026-06-17 |