Cyber Posture

CWE · MITRE source

CWE-918Server-Side Request Forgery (SSRF)

Abstraction: Base · CVEs in our corpus: 2,478

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Last updated: 09 May 2026 03:25 UTC

NIST 800-53 r5 controls that address this weakness (4)AI

Control Title Family Why it addresses this CWE
SI-10Information Input ValidationSIValidates server-side URLs and resource references to block SSRF attempts.
SI-4System MonitoringSIDetects server-side request forgery through monitoring of unexpected outbound connections.
CA-8Penetration TestingCAPenetration testing attempts server-side requests to internal resources, identifying SSRF weaknesses for remediation.
SC-7Boundary ProtectionSCOutbound connections to external resources can be monitored and limited at the boundary, reducing SSRF impact.

Top CVEs of this weakness type, ranked by Risk Priority

CVE Risk CVSS EPSS Published
CVE-2021-22986 KEV9.69.80.94482021-03-31
CVE-2021-21985 KEV9.69.80.94412021-05-26
CVE-2020-7796 KEV9.59.80.92692020-02-18
CVE-2021-26855 KEV9.59.10.94352021-03-03
CVE-2021-34473 KEV9.59.10.94232021-07-14
CVE-2021-40438 KEV9.59.00.94432021-09-16
CVE-2022-41040 KEV9.48.80.94152022-10-03
CVE-2024-21893 KEV9.38.20.94322024-01-31
CVE-2021-21975 KEV9.27.50.94422021-03-31
CVE-2019-9621 KEV9.17.50.94112019-04-30
CVE-2021-21311 KEV9.17.20.94182021-02-11
CVE-2021-22054 KEV9.17.50.93842021-12-17
CVE-2021-21973 KEV8.55.30.90392021-02-24
CVE-2016-3718 KEV7.85.50.78822016-05-05
CVE-2019-183947.69.80.93882019-10-24
CVE-2021-279057.69.80.93902021-04-13
CVE-2021-336907.69.90.93262021-09-15
CVE-2022-13867.69.80.93612022-05-16
CVE-2023-514677.69.80.94002023-12-26
CVE-2020-269487.59.80.91732020-10-10
CVE-2021-276707.59.80.92842021-02-25
CVE-2021-22175 KEV7.56.80.69742021-06-11
CVE-2021-326827.59.80.92772021-06-14
CVE-2023-436547.510.00.91652023-09-28
CVE-2023-480227.59.80.92192023-11-28