EUVD-2026-20511
GHSA-2vgp-8568-m98f
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
3Description
A Server-Side Request Forgery (SSRF) vulnerability exists in the Print Format functionality of ERPNext v16.0.1 and Frappe Framework v16.1.1, where user-supplied HTML is insufficiently sanitized before being rendered into PDF. When generating PDFs from user-controlled HTML content, the application allows the inclusion of HTML elements such as <iframe> that reference external resources. The PDF rendering engine automatically fetches these resources on the server side. An attacker can abuse this behavior to force the server to make arbitrary HTTP requests to internal services, including cloud metadata endpoints, potentially leading to sensitive information disclosure.
Analysis
Server-Side Request Forgery in ERPNext 16.0.1 and Frappe Framework 16.1.1 enables unauthenticated attackers to force servers to make arbitrary HTTP requests to internal services through insufficiently sanitized HTML in Print Format PDF generation. Attackers inject HTML elements like <iframe> referencing external resources, which the PDF rendering engine automatically fetches server-side, exposing cloud metadata endpoints and internal network resources. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Audit all ERPNext and Frappe Framework instances in production to confirm versions (16.0.1 and 16.1.1); disable PDF print format generation or restrict to authenticated users only. Within 7 days: Contact Frappe/ERPNext vendor for patch availability timeline and interim guidance; implement network segmentation to prevent PDF rendering servers from accessing sensitive internal endpoints and cloud metadata services. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today