CWE-918 2913 個 CVE MITRE 定義 ↗

CWE-918:Server-Side Request Forgery (SSRF)

概覽

CWE-918(Server-Side Request Forgery (SSRF))描述一種在漏洞資料庫與安全評估中使用的弱點類型;定義、背景與對應 CVE 見下方各節。

安全影響
安全影響:因產品與情境而異;請結合 CVE 紀錄、嚴重度評分與 MITRE 說明進行優先級判斷。

描述

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

適用平台

類型 名稱 普遍性 OS / CPE
language Not Language-Specific Undetermined
technology Web Based Undetermined
technology AI/ML Often
technology Web Server Undetermined

本庫相關 CVE

下列 CVE 在本庫中對應到該弱點,並保留以便追溯與檢索。

CVE 公開時間 摘要
CVE-2026-16223 2026-07-19 A vulnerability was determined in 1Panel-dev CordysCRM up to 1.4.1. Impacted is the function getSqlBotSrc of the file backend/crm/src/main/java/cn/cordys/crm/system/service/IntegrationConfigService.ja…
CVE-2026-16222 2026-07-19 A vulnerability was found in 1Panel-dev CordysCRM up to 1.4.1. This issue affects some unknown processing of the file backend/crm/src/main/java/cn/cordys/crm/integration/sso/service/TokenService.java …
CVE-2026-16196 2026-07-18 A weakness has been identified in Sipeed PicoClaw up to 0.2.9. Impacted is the function isPrivateOrRestrictedIP of the file pkg/tools/integration/web.go of the component web_fetch. This manipulation c…
CVE-2026-16194 2026-07-18 A vulnerability was determined in zhayujie CowAgent up to 2.1.1. This affects the function WebFetch.execute of the file agent/tools/web_fetch/web_fetch.py. Executing a manipulation of the argument url…
CVE-2026-16128 2026-07-18 A security flaw has been discovered in zevorn rt-claw up to 0.2.0. This impacts the function receiver_thread of the file claw/services/swarm/swarm.c of the component http_request. Performing a manipul…
CVE-2026-16127 2026-07-18 A vulnerability was identified in zevorn rt-claw up to 0.2.0. This affects the function claw_net_get/claw_net_post of the file claw/tools/tool_net.c of the component http_request. Such manipulation of…
CVE-2026-16125 2026-07-18 A vulnerability was found in zevorn rt-claw up to 0.2.0. The affected element is the function claw_net_get/claw_net_post of the file claw/services/tools/net.c of the component http_request. The manipu…
CVE-2026-16124 2026-07-18 A security vulnerability has been detected in nextlevelbuilder GoClaw up to 3.15.0-beta.32. This affects the function CheckSSRF/isPrivateIP of the file internal/tools/web_shared.go of the component we…
CVE-2025-71398 2026-07-18 SurrealDB before 2.2.2 fails to validate HTTP redirects in http functions, allowing authenticated users to bypass deny-net restrictions by redirecting to blocked IP addresses. Attackers can host a pub…
CVE-2026-16084 2026-07-18 A weakness has been identified in Sipeed PicoClaw up to 0.2.9. This impacts the function web_fetch of the file pkg/tools/integration/web.go. This manipulation causes server-side request forgery. Remot…
CVE-2026-54242 2026-07-17 Statamic is a Laravel and Git powered content management system (CMS). Prior to 5.73.24 and 6.20.1, the Glide image proxy's URL validation in src/Imaging/RemoteUrlValidator.php and src/Imaging/GuzzleA…
CVE-2026-53727 2026-07-17 css_parser is a Ruby CSS parser. From 2.2.0 until 3.0.0, CssParser::Parser#read_remote_file in lib/css_parser/parser.rb, and therefore load_uri! and the @import-following branch of add_block!, issued …
CVE-2026-16074 2026-07-17 A vulnerability was detected in AstrBotDevs AstrBot up to 4.25.2. This affects the function update_plugin/update_all_plugins of the file astrbot/dashboard/routes/plugin.py of the component Plugin Upda…
CVE-2026-50151 2026-07-17 oras-go is a Go library for managing OCI artifacts. Prior to 2.6.1, registry/remote/repository.go in blobStore.completePushAfterInitialPost follows a registry-controlled Location header during monolit…
CVE-2026-48978 2026-07-17 oras-go is a Go library for managing OCI artifacts. Prior to 2.6.1, auth.Client follows the realm URL from a registry's WWW-Authenticate: Bearer challenge without validating the scheme or host, allowi…
CVE-2026-63096 2026-07-17 Dendrite through 0.13.8 contains a server-side request forgery vulnerability that allows unauthenticated attackers to cause the server to open outbound TLS connections to arbitrary hosts and ports by …
CVE-2026-16016 2026-07-17 A vulnerability was identified in poco-ai poco-claw up to 0.5.4. This issue affects the function run_task of the file executor/app/api/v1/task.py. The manipulation of the argument callback_url leads t…
CVE-2026-62234 2026-07-16 Grav before 2.0.4 fails to restrict cURL protocols in webhook dispatch, allowing authenticated users with api.webhooks.write permission to create webhooks with file://, dict://, or gopher:// URLs. Att…
CVE-2026-62227 2026-07-16 OpenClaw 2026.4.14 before 2026.5.26 contain a server-side request forgery vulnerability in browser snapshot routes that fail to validate post-navigation destinations. Attackers with lower-trust access…
CVE-2026-62226 2026-07-16 OpenClaw 2026.3.28 before 2026.5.19 contain an authorization bypass vulnerability in the browser act route that fails to properly validate current-tab URL checks. Attackers with lower-trust access or …

內容提交

名稱
CWE Content Team
組織
MITRE
日期
2013-02-17
版本
2.4

內容修訂

日期 名稱 版本 重要性 評論
2015-12-07 CWE Content Team 2.9 updated Relationships
2017-01-19 CWE Content Team 2.10 updated Relationships
2017-11-08 CWE Content Team 3.0 updated Applicable_Platforms, References
2018-03-27 CWE Content Team 3.1 updated References
2019-06-20 CWE Content Team 3.3 updated Relationships
2020-02-24 CWE Content Team 4.0 updated Applicable_Platforms, Relationships
2021-07-20 CWE Content Team 4.5 updated References, Related_Attack_Patterns, Relationships
2021-10-28 CWE Content Team 4.6 updated Relationships
2022-06-28 CWE Content Team 4.8 updated Observed_Examples, Relationships
2022-10-13 CWE Content Team 4.9 updated Observed_Examples
2023-04-27 CWE Content Team 4.11 updated Detection_Factors, References, Relationships
2023-06-29 CWE Content Team 4.12 updated Mapping_Notes, Relationships
2024-11-19 CWE Content Team 4.16 updated Alternate_Terms, Common_Consequences, Description, Diagram, Observed_Examples, Relationships
2025-09-09 CWE Content Team 4.18 updated Applicable_Platforms, Observed_Examples, References
2025-12-11 CWE Content Team 4.19 updated Applicable_Platforms, Demonstrative_Examples, References, Relationships, Weakness_Ordinalities
2026-04-30 CWE Content Team 4.20 updated Applicable_Platforms, Observed_Examples, References, Relationships

貢獻

類型 名稱 日期 評論
Content Abhi Balakrishnan 2024-02-29 Provided diagram to improve CWE usability
Content Affan Ahmed 2025-02-08 Provided a PHP-based demonstrative example
cvelogic Threat Intelligence