CWE · MITRE source
CWE-918Server-Side Request Forgery (SSRF)
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Last updated: 04 July 2026 00:28 UTC
Cumulative inbound coverage
How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.
Collective: full · 6 mapping(s) from 4 framework(s): ASVS 5.0 3 (full) · CAPEC 1 (mostly) · OWASP-Web 1 (partial) · ATT&CK 1 (partial)
OWASP Top 10 for Web (2025)
This weakness contributes to A01:2025 Broken Access Control.
NIST 800-53 r5 controls that address this weakness (4)AI
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
SI-10 | Information Input Validation | SI | Validates server-side URLs and resource references to block SSRF attempts. |
SI-4 | System Monitoring | SI | Detects server-side request forgery through monitoring of unexpected outbound connections. |
CA-8 | Penetration Testing | CA | Penetration testing attempts server-side requests to internal resources, identifying SSRF weaknesses for remediation. |
SC-7 | Boundary Protection | SC | Outbound connections to external resources can be monitored and limited at the boundary, reducing SSRF impact. |
MITRE ATT&CK techniques this weakness enables
Our own two-way CWE↔ATT&CK cross-walk — a direct mapping with no public source (the CWE→CAPEC→ATT&CK chain leaves most top weaknesses, incl. XSS and SQLi, mapped to nothing). Drafted by Grok and spot-checked by Claude Opus 4.8.
Direction: ← other covers this;
→ this covers other (F/M/P = full / mostly /
partial).
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2016-3718 KEV | 10.0 | 5.5 | 0.7690 | 2016-05-05 |
CVE-2019-9621 KEV | 10.0 | 7.5 | 0.8091 | 2019-04-30 |
CVE-2020-7796 KEV | 10.0 | 9.8 | 0.8542 | 2020-02-18 |
CVE-2021-21311 KEV | 10.0 | 7.2 | 0.9046 | 2021-02-11 |
CVE-2021-27103 KEV | 10.0 | 9.8 | 0.1141 | 2021-02-16 |
CVE-2021-21973 KEV | 10.0 | 5.3 | 0.8801 | 2021-02-24 |
CVE-2021-26855 KEV | 10.0 | 9.1 | 1.0000 | 2021-03-03 |
CVE-2021-22986 KEV | 10.0 | 9.8 | 0.9990 | 2021-03-31 |
CVE-2021-21975 KEV | 10.0 | 7.5 | 0.7829 | 2021-03-31 |
CVE-2021-21985 KEV | 10.0 | 9.8 | 1.0000 | 2021-05-26 |
CVE-2021-22175 KEV | 10.0 | 6.8 | 0.5337 | 2021-06-11 |
CVE-2021-34473 KEV | 10.0 | 9.1 | 1.0000 | 2021-07-14 |
CVE-2021-40438 KEV | 10.0 | 9.0 | 1.0000 | 2021-09-16 |
CVE-2021-39935 KEV | 10.0 | 6.8 | 0.3050 | 2021-12-13 |
CVE-2021-22054 KEV | 10.0 | 7.5 | 0.9771 | 2021-12-17 |
CVE-2022-41040 KEV | 10.0 | 8.8 | 0.9994 | 2022-10-03 |
CVE-2023-41763 KEV | 10.0 | 5.3 | 0.9035 | 2023-10-10 |
CVE-2024-21893 KEV UPD | 10.0 | 8.2 | 1.0000 | 2024-01-31 |
CVE-2025-61884 KEV | 10.0 | 7.5 | 0.9758 | 2025-10-12 |
CVE-2026-20230 KEV UPD | 10.0 | 8.6 | 0.4169 | 2026-06-03 |
CVE-2017-9506 | 8.0 | 6.1 | 0.7160 | 2017-08-23 |
CVE-2018-5006 | 8.0 | 7.5 | 0.5375 | 2018-07-20 |
CVE-2018-14728 | 8.0 | 9.8 | 0.7651 | 2018-08-03 |
CVE-2019-0227 | 8.0 | 7.5 | 0.8650 | 2019-05-01 |
CVE-2019-8451 | 8.0 | 6.5 | 0.9445 | 2019-09-11 |