Total
1861 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-21893 | 1 Ivanti | 3 Connect Secure, Neurons For Zero-trust Access, Policy Secure | 2025-10-30 | N/A | 8.2 HIGH |
| A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication. | |||||
| CVE-2021-21973 | 1 Vmware | 2 Cloud Foundation, Vcenter Server | 2025-10-30 | 5.0 MEDIUM | 5.3 MEDIUM |
| The vSphere Client (HTML5) contains an SSRF (Server Side Request Forgery) vulnerability due to improper validation of URLs in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue by sending a POST request to vCenter Server plugin leading to information disclosure. This affects: VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2). | |||||
| CVE-2021-21975 | 1 Vmware | 3 Cloud Foundation, Vrealize Operations Manager, Vrealize Suite Lifecycle Manager | 2025-10-30 | 5.0 MEDIUM | 7.5 HIGH |
| Server Side Request Forgery in vRealize Operations Manager API (CVE-2021-21975) prior to 8.4 may allow a malicious actor with network access to the vRealize Operations Manager API can perform a Server Side Request Forgery attack to steal administrative credentials. | |||||
| CVE-2021-21985 | 1 Vmware | 2 Cloud Foundation, Vcenter Server | 2025-10-30 | 10.0 HIGH | 9.8 CRITICAL |
| The vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server. | |||||
| CVE-2021-26855 | 1 Microsoft | 1 Exchange Server | 2025-10-30 | 7.5 HIGH | 9.1 CRITICAL |
| Microsoft Exchange Server Remote Code Execution Vulnerability | |||||
| CVE-2025-11636 | 1 Furbo | 2 Furbo 360 Dog Camera, Furbo 360 Dog Camera Firmware | 2025-10-30 | 5.1 MEDIUM | 5.6 MEDIUM |
| A security vulnerability has been detected in Tomofun Furbo 360 up to FB0035_FW_036. This issue affects some unknown processing of the component Account Handler. Such manipulation leads to server-side request forgery. The attack can be executed remotely. This attack is characterized by high complexity. The exploitability is assessed as difficult. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2022-41040 | 1 Microsoft | 1 Exchange Server | 2025-10-30 | N/A | 8.8 HIGH |
| Microsoft Exchange Server Elevation of Privilege Vulnerability | |||||
| CVE-2025-10145 | 2025-10-30 | N/A | 7.7 HIGH | ||
| The Auto Featured Image (Auto Post Thumbnail) plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 4.1.7 via the upload_to_library function. This makes it possible for authenticated attackers, with Author-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. On Cloud instances, this issue allows for metadata retrieval. | |||||
| CVE-2025-60898 | 2025-10-30 | N/A | 5.8 MEDIUM | ||
| An unauthenticated server-side request forgery (SSRF) vulnerability in the Thumbnail via-uri endpoint of Halo CMS 2.21 allows a remote attacker to cause the server to issue HTTP requests to attacker-controlled URLs, including internal addresses. The endpoint performs a server-side GET to a user-supplied URI without adequate allow/blocklist validation and returns a 307 redirect that can disclose internal URLs in the Location header. | |||||
| CVE-2025-52455 | 3 Linux, Microsoft, Tableau | 3 Linux Kernel, Windows, Tableau Server | 2025-10-29 | N/A | 5.3 MEDIUM |
| Server-Side Request Forgery (SSRF) vulnerability in Salesforce Tableau Server on Windows, Linux (EPS Server modules) allows Resource Location Spoofing. This issue affects Tableau Server: before 2025.1.3, before 2024.2.12, before 2023.3.19. | |||||
| CVE-2025-47700 | 1 Mattermost | 1 Mattermost Server | 2025-10-29 | N/A | 3.5 LOW |
| Mattermost Server versions 10.5.x <= 10.5.9 utilizing the Agents plugin fail to reject empty request bodies which allows users to trick users into clicking malicious links via post actions | |||||
| CVE-2025-31993 | 1 Hcltech | 1 Unica Centralized Offer Management | 2025-10-29 | N/A | 3.5 LOW |
| HCL Unica Centralized Offer Management is vulnerable to a potential Server-Side Request Forgery (SSRF). An attacker can exploit improper input validation by submitting maliciously crafted input to a target application running on a server. | |||||
| CVE-2021-34473 | 1 Microsoft | 1 Exchange Server | 2025-10-29 | 10.0 HIGH | 9.1 CRITICAL |
| Microsoft Exchange Server Remote Code Execution Vulnerability | |||||
| CVE-2025-26494 | 1 Tableau | 1 Tableau Server | 2025-10-29 | N/A | 7.7 HIGH |
| Server-Side Request Forgery (SSRF) vulnerability in Salesforce Tableau Server allows Authentication Bypass.This issue affects Tableau Server: from 2023.3 through 2023.3.5. | |||||
| CVE-2023-41763 | 1 Microsoft | 1 Skype For Business Server | 2025-10-28 | N/A | 5.3 MEDIUM |
| Skype for Business Elevation of Privilege Vulnerability | |||||
| CVE-2025-11648 | 1 Furbo | 4 Furbo 360 Dog Camera, Furbo 360 Dog Camera Firmware, Furbo Mini and 1 more | 2025-10-28 | 5.1 MEDIUM | 5.6 MEDIUM |
| A vulnerability has been found in Tomofun Furbo 360 and Furbo Mini. Impacted is an unknown function of the file TF_FQDN.json of the component GATT Interface URL Handler. Such manipulation leads to server-side request forgery. The attack may be performed from remote. Attacks of this nature are highly complex. The exploitability is considered difficult. The firmware versions determined to be affected are Furbo 360 up to FB0035_FW_036 and Furbo Mini up to MC0020_FW_074. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2021-40438 | 11 Apache, Broadcom, Debian and 8 more | 40 Http Server, Brocade Fabric Operating System Firmware, Debian Linux and 37 more | 2025-10-27 | 6.8 MEDIUM | 9.0 CRITICAL |
| A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user. This issue affects Apache HTTP Server 2.4.48 and earlier. | |||||
| CVE-2025-61884 | 1 Oracle | 1 Configurator | 2025-10-27 | N/A | 7.5 HIGH |
| Vulnerability in the Oracle Configurator product of Oracle E-Business Suite (component: Runtime UI). Supported versions that are affected are 12.2.3-12.2.14. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Configurator. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Configurator accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). | |||||
| CVE-2021-22986 | 1 F5 | 15 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Advanced Web Application Firewall and 12 more | 2025-10-27 | 10.0 HIGH | 9.8 CRITICAL |
| On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, and 12.1.x before 12.1.5.3 amd BIG-IQ 7.1.0.x before 7.1.0.3 and 7.0.0.x before 7.0.0.2, the iControl REST interface has an unauthenticated remote command execution vulnerability. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated. | |||||
| CVE-2025-62612 | 2025-10-27 | N/A | N/A | ||
| FastGPT is an AI Agent building platform. Prior to version 4.11.1, in the workflow file reading node, the network link is not security-verified, posing a risk of SSRF attacks. This issue has been patched in version 4.11.1. | |||||