{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-31017", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-08T16:25:25.861Z", "dateReserved": "2026-03-09T00:00:00.000Z", "datePublished": "2026-04-08T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-08T16:25:25.861Z"}, "descriptions": [{"lang": "en", "value": "A Server-Side Request Forgery (SSRF) vulnerability exists in the Print Format functionality of ERPNext v16.0.1 and Frappe Framework v16.1.1, where user-supplied HTML is insufficiently sanitized before being rendered into PDF. When generating PDFs from user-controlled HTML content, the application allows the inclusion of HTML elements such as <iframe> that reference external resources. The PDF rendering engine automatically fetches these resources on the server side. An attacker can abuse this behavior to force the server to make arbitrary HTTP requests to internal services, including cloud metadata endpoints, potentially leading to sensitive information disclosure."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "http://frappe.com"}, {"url": "https://github.com/PhDg1410/CVE/tree/main/CVE-2026-31017"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}}, "dataVersion": "5.2"}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A Server-Side Request Forgery (SSRF) vulnerability exists in the Print Format functionality of ERPNext v16.0.1 and Frappe Framework v16.1.1, where user-supplied HTML is insufficiently sanitized before being rendered into PDF. When generating PDFs from user-controlled HTML content, the application allows the inclusion of HTML elements such as <iframe> that reference external resources. The PDF rendering engine automatically fetches these resources on the server side. An attacker can abuse this behavior to force the server to make arbitrary HTTP requests to internal services, including cloud metadata endpoints, potentially leading to sensitive information disclosure."}], "id": "CVE-2026-31017", "lastModified": "2026-04-08T21:26:13.410", "metrics": {}, "published": "2026-04-08T17:21:18.737", "references": [{"source": "cve@mitre.org", "url": "http://frappe.com"}, {"source": "cve@mitre.org", "url": "https://github.com/PhDg1410/CVE/tree/main/CVE-2026-31017"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Awaiting Analysis"}

{}

{"analysis": {"en": {"generated_at": "2026-04-08T18:54:07.022626+00:00", "value": {"mitigation_remediation": ["Apply the latest vendor patch or upgrade ERPNext to a version where Print Format PDF sanitization is fixed", "Restrict outbound HTTP connections from the ERPNext server to internal networks or cloud metadata endpoints", "Sanitize or whitelist user\u2011supplied HTML before PDF rendering as an interim measure", "Monitor server logs for unexpected outbound HTTP requests"], "summary": {"action": "Apply Patch", "impact": "Server\u2011Side Request Forgery enabling internal resource access"}, "threat_synthesis": {"affected_systems": "ERPNext v16.0.1 and Frappe Framework v16.1.1, when using the Print Format PDF generation feature, are affected. No other versions are known to be impacted.", "description_and_impact": "This vulnerability permits a remote attacker to inject user\u2011controlled HTML containing elements such as <iframe> into the Print Format feature of ERPNext v16.0.1 and Frappe Framework v16.1.1. When a PDF is generated, the rendering engine fetches referenced resources server\u2011side, enabling the attacker to force the server to request arbitrary URLs, including internal services and cloud metadata endpoints. The results can be the disclosure of sensitive data such as internal IPs, configuration secrets, or role information, and can compromise overall confidentiality.", "risk_and_exploitability": "The CVSS score is not provided; however, the impact potential is high because an attacker can reach services not exposed externally. The EPSS score is unavailable and the vulnerability is not listed in the KEV catalog, suggesting no confirmed active exploitation yet. The attack vector is likely through a crafted print format that the user submits via the web interface, with no special privileges required beyond legitimate user access. If exploited, the server can internally request any network resource, which may lead to information disclosure or further lateral movement."}}}}, "created": "2026-04-08T19:44:35.014433+00:00", "title": "SSRF in ERPNext PDF Rendering Allows Server\u2011Side Requests", "updated": "2026-04-08T19:44:35.014465+00:00", "vendors": [], "weaknesses": ["CWE-918"]}