CVE-2025-36560

CRITICAL Year: 2025
CVSS v3 Score
8.6
High
Weakness Type
CWE-918
View all →

Vulnerability Description

Server-side request forgery vulnerability exists in a-blog cms multiple versions. If this vulnerability is exploited, a remote unauthenticated attacker may gain access to sensitive information by sending a specially crafted request.

Related Vulnerabilities

CVE-2016-4029

HIGH
CVSS:8.6(High)

WordPress before 4.5 does not consider octal and hexadecimal IP address formats when determining an intranet address, which allows remote attackers to bypass an intended SSRF protection mechanism via ...

CWE-9182016

CVE-2016-6483

HIGH
CVSS:8.6(High)

The media-file upload feature in vBulletin before 3.8.7 Patch Level 6, 3.8.8 before Patch Level 2, 3.8.9 before Patch Level 1, 4.x before 4.2.2 Patch Level 6, 4.2.3 before Patch Level 2, 5.x before 5....

CWE-9182016

CVE-2016-6621

HIGH
CVSS:8.6(High)

The setup script for phpMyAdmin before 4.0.10.19, 4.4.x before 4.4.15.10, and 4.6.x before 4.6.6 allows remote attackers to conduct server-side request forgery (SSRF) attacks via unspecified vectors.

CWE-9182016

CVE-2016-7964

HIGH
CVSS:8.6(High)

The sendRequest method in HTTPClient Class in file /inc/HTTPClient.php in DokuWiki 2016-06-26a and older, when media file fetching is enabled, has no way to restrict access to private networks. This a...

CWE-9182016

CVE-2016-9752

HIGH
CVSS:8.6(High)

In Serendipity before 2.0.5, an attacker can bypass SSRF protection by using a malformed IP address (e.g., http://127.1) or a 30x (aka Redirection) HTTP status code.

CWE-9182016

CVE-2017-15644

HIGH
CVSS:8.6(High)

SSRF exists in Webmin 1.850 via the PATH_INFO to tunnel/link.cgi, as demonstrated by a GET request for tunnel/link.cgi/http://INTRANET-IP:8000.

CWE-9182017