Description
A Server-Side Request Forgery (SSRF) vulnerability exists in the Print Format functionality of ERPNext v16.0.1 and Frappe Framework v16.1.1, where user-supplied HTML is insufficiently sanitized before being rendered into PDF. When generating PDFs from user-controlled HTML content, the application allows the inclusion of HTML elements such as <iframe> that reference external resources. The PDF rendering engine automatically fetches these resources on the server side. An attacker can abuse this behavior to force the server to make arbitrary HTTP requests to internal services, including cloud metadata endpoints, potentially leading to sensitive information disclosure.
Published: 2026-04-08
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive Information Disclosure
Action: Immediate Patch
AI Analysis

Impact

An SSRF vulnerability in the Print Format feature of ERPNext v16.0.1 and Frappe v16.1.1 permits an attacker to supply user‑controlled HTML containing <iframe> elements that the server fetches during PDF generation, directing the server to perform arbitrary HTTP requests to internal or cloud metadata endpoints, thereby disclosing sensitive data.

Affected Systems

ERPNext v16.0.1 and the underlying Frappe Framework v16.1.1 are affected. The flaw exists in the Print Format functionality that renders user‑supplied HTML into PDF. No other product versions are listed as affected in the available data.

Risk and Exploitability

The flaw carries a CVSS score of 9.1, indicating a high impact and exploitability. The EPSS score is below 1%, suggesting a low likelihood of widespread exploitation so far, and the vulnerability is not currently cataloged by CISA's KEV list. The attack vector is inferred to be the ability to supply arbitrary HTML to the Print Format interface—any user with privileges to create or modify print formats could inject malicious content and trigger the SSRF. Because the server component performs the external fetch, the impact is on the system's network, potentially exposing internal services. The high CVSS score and the data‑disclosure nature underscore the need for mitigation even if exploitation is currently rare.

Generated by OpenCVE AI on April 14, 2026 at 18:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify whether an updated release of ERPNext or Frappe that addresses the SSRF has been made available on the vendor’s website, and if so, apply the patch immediately.
  • If no patch is available, reduce the attack surface by limiting the Print Format feature to trusted users or disabling PDF generation of user‑supplied HTML from unauthenticated sources.
  • Strengthen network controls by adding firewall or routing rules that block outbound HTTP traffic from the ERPNext/Frappe server to internal addresses or cloud metadata endpoints that are not required for normal operation.
  • Continuously monitor application logs for unexpected outbound requests to internal services, and investigate any anomalies promptly.

Generated by OpenCVE AI on April 14, 2026 at 18:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Title SSRF Vulnerability in ERPNext PDF Rendering Enables Internal Resource Discovery and Data Exposure

Tue, 14 Apr 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Frappe frappe
CPEs cpe:2.3:a:frappe:erpnext:16.0.1:*:*:*:*:*:*:*
cpe:2.3:a:frappe:frappe:16.1.1:*:*:*:*:*:*:*
Vendors & Products Frappe frappe

Fri, 10 Apr 2026 10:00:00 +0000

Type Values Removed Values Added
Title SSRF in ERPNext PDF Rendering Allows Server‑Side Requests

Thu, 09 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Frappe
Frappe erpnext
Frappe framework
Vendors & Products Frappe
Frappe erpnext
Frappe framework

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Title SSRF in ERPNext PDF Rendering Allows Server‑Side Requests
Weaknesses CWE-918

Wed, 08 Apr 2026 17:00:00 +0000

Type Values Removed Values Added
Description A Server-Side Request Forgery (SSRF) vulnerability exists in the Print Format functionality of ERPNext v16.0.1 and Frappe Framework v16.1.1, where user-supplied HTML is insufficiently sanitized before being rendered into PDF. When generating PDFs from user-controlled HTML content, the application allows the inclusion of HTML elements such as <iframe> that reference external resources. The PDF rendering engine automatically fetches these resources on the server side. An attacker can abuse this behavior to force the server to make arbitrary HTTP requests to internal services, including cloud metadata endpoints, potentially leading to sensitive information disclosure.
References

Subscriptions

Frappe Erpnext Framework Frappe
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-09T20:49:57.487Z

Reserved: 2026-03-09T00:00:00.000Z

Link: CVE-2026-31017

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-08T17:21:18.737

Modified: 2026-04-14T15:46:59.460

Link: CVE-2026-31017

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T16:15:11Z

Weaknesses