Skip to main content

Pentestify CVE-2026-13150

| EUVDEUVD-2026-38735 MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-06-24 4daa8cea-433a-44bd-9456-53b127fc289a GHSA-jmg8-x6hq-972w
6.9
CVSS 4.0 · Vendor: 4daa8cea-433a-44bd-9456-53b127fc289a
Share

Severity by source

Vendor (4daa8cea-433a-44bd-9456-53b127fc289a) PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.8 MEDIUM

Host header SSRF is network-exploitable with no auth per CVSS 4.0 PR:N; scope changes as server contacts external systems; only low confidentiality impact on subsequent systems, no integrity or availability effect.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N

Primary rating from Vendor (4daa8cea-433a-44bd-9456-53b127fc289a).

CVSS VectorVendor: 4daa8cea-433a-44bd-9456-53b127fc289a

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
Jun 24, 2026 - 12:16 EUVD
Source Code Evidence Fetched
Jun 24, 2026 - 11:31 vuln.today
Analysis Generated
Jun 24, 2026 - 11:31 vuln.today

DescriptionCVE.org

Server-Side Request Forgery (SSRF) (CWE-918) in the PDF generation endpoint GET /api/reports/{id}/pdf (backend/main.py) in ccyl13 Pentestify 1.0.0 and lower allows remote attackers to make the server issue requests to arbitrary internal or external URLs, including cloud metadata services, and return the rendered content in the resulting PDF via a crafted Host header, because the target URL is built from request.base_url without validation.

AnalysisAI

Server-Side Request Forgery in Pentestify 1.0.0's PDF generation endpoint enables remote attackers (PR:N per CVSS 4.0 vector) to coerce the server into issuing outbound HTTP requests to arbitrary internal or external targets, including cloud metadata services such as the AWS Instance Metadata Service at 169.254.169.254, by supplying a crafted HTTP Host header. The rendered PDF is returned to the caller, potentially leaking internal service responses or IAM role credentials. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Send GET /api/reports/{id}/pdf with crafted Host header
Delivery
Backend derives render base URL from request.base_url
Exploit
PDF renderer fetches content from attacker-specified target URL
Execution
Internal service or cloud metadata response rendered into PDF
Impact
Attacker receives HTTP response containing exfiltrated internal data

Vulnerability AssessmentAI

Exploitation The GET /api/reports/{id}/pdf endpoint must be network-reachable by the attacker. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 base score of 6.9 reflects a network-accessible (AV:N), low-complexity (AC:L) SSRF with no privileges required (PR:N) and no user interaction (UI:N), with subsequent confidentiality impact rated Low (SC:L) and no integrity or availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker sends GET /api/reports/1/pdf to a publicly exposed Pentestify instance with the HTTP Host header set to 169.254.169.254. The backend constructs the PDF render base URL from request.base_url, yielding http://169.254.169.254/, and the PDF renderer fetches the AWS IMDS root endpoint. …
Remediation Upgrade to Pentestify 1.1.0, which introduces Pydantic field validators in schemas.py enforcing that client_logo and images fields accept only base64 data URIs (matching the pattern data:image/<type>;base64,<data>), preventing remote URL embedding during PDF rendering. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-13150 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy