Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Host header SSRF is network-exploitable with no auth per CVSS 4.0 PR:N; scope changes as server contacts external systems; only low confidentiality impact on subsequent systems, no integrity or availability effect.
Primary rating from Vendor (4daa8cea-433a-44bd-9456-53b127fc289a).
CVSS VectorVendor: 4daa8cea-433a-44bd-9456-53b127fc289a
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Server-Side Request Forgery (SSRF) (CWE-918) in the PDF generation endpoint GET /api/reports/{id}/pdf (backend/main.py) in ccyl13 Pentestify 1.0.0 and lower allows remote attackers to make the server issue requests to arbitrary internal or external URLs, including cloud metadata services, and return the rendered content in the resulting PDF via a crafted Host header, because the target URL is built from request.base_url without validation.
AnalysisAI
Server-Side Request Forgery in Pentestify 1.0.0's PDF generation endpoint enables remote attackers (PR:N per CVSS 4.0 vector) to coerce the server into issuing outbound HTTP requests to arbitrary internal or external targets, including cloud metadata services such as the AWS Instance Metadata Service at 169.254.169.254, by supplying a crafted HTTP Host header. The rendered PDF is returned to the caller, potentially leaking internal service responses or IAM role credentials. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The GET /api/reports/{id}/pdf endpoint must be network-reachable by the attacker. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 base score of 6.9 reflects a network-accessible (AV:N), low-complexity (AC:L) SSRF with no privileges required (PR:N) and no user interaction (UI:N), with subsequent confidentiality impact rated Low (SC:L) and no integrity or availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker sends GET /api/reports/1/pdf to a publicly exposed Pentestify instance with the HTTP Host header set to 169.254.169.254. The backend constructs the PDF render base URL from request.base_url, yielding http://169.254.169.254/, and the PDF renderer fetches the AWS IMDS root endpoint. … |
| Remediation | Upgrade to Pentestify 1.1.0, which introduces Pydantic field validators in schemas.py enforcing that client_logo and images fields accept only base64 data URIs (matching the pattern data:image/<type>;base64,<data>), preventing remote URL embedding during PDF rendering. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38735
GHSA-jmg8-x6hq-972w