Description

A Server-Side Request Forgery (SSRF) vulnerability exists in the Print Format functionality of ERPNext v16.0.1 and Frappe Framework v16.1.1, where user-supplied HTML is insufficiently sanitized before being rendered into PDF. When generating PDFs from user-controlled HTML content, the application allows the inclusion of HTML elements such as <iframe> that reference external resources. The PDF rendering engine automatically fetches these resources on the server side. An attacker can abuse this behavior to force the server to make arbitrary HTTP requests to internal services, including cloud metadata endpoints, potentially leading to sensitive information disclosure.

INFO

Published Date :

2026-04-08T00:00:00.000Z

Last Modified :

2026-04-09T20:49:57.487Z

Source :

mitre
AFFECTED PRODUCTS

The following products are affected by CVE-2026-31017 vulnerability.

Vendors Products
Frappe
  • Erpnext
  • Framework
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-31017.

URL Resource
http://frappe.com cve-icon cve-icon
https://github.com/PhDg1410/CVE/tree/main/CVE-2026-31017 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System