CVE-2026-31017 - Vulnerability Details

- SSRF in ERPNext PDF Rendering Allows Server‑Side Requests

Description

A Server-Side Request Forgery (SSRF) vulnerability exists in the Print Format functionality of ERPNext v16.0.1 and Frappe Framework v16.1.1, where user-supplied HTML is insufficiently sanitized before being rendered into PDF. When generating PDFs from user-controlled HTML content, the application allows the inclusion of HTML elements such as <iframe> that reference external resources. The PDF rendering engine automatically fetches these resources on the server side. An attacker can abuse this behavior to force the server to make arbitrary HTTP requests to internal services, including cloud metadata endpoints, potentially leading to sensitive information disclosure.

Published: 2026-04-08

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

This vulnerability permits a remote attacker to inject user‑controlled HTML containing elements such as <iframe> into the Print Format feature of ERPNext v16.0.1 and Frappe Framework v16.1.1. When a PDF is generated, the rendering engine fetches referenced resources server‑side, enabling the attacker to force the server to request arbitrary URLs, including internal services and cloud metadata endpoints. The results can be the disclosure of sensitive data such as internal IPs, configuration secrets, or role information, and can compromise overall confidentiality.

Affected Systems

ERPNext v16.0.1 and Frappe Framework v16.1.1, when using the Print Format PDF generation feature, are affected. No other versions are known to be impacted.

Risk and Exploitability

The CVSS score is not provided; however, the impact potential is high because an attacker can reach services not exposed externally. The EPSS score is unavailable and the vulnerability is not listed in the KEV catalog, suggesting no confirmed active exploitation yet. The attack vector is likely through a crafted print format that the user submits via the web interface, with no special privileges required beyond legitimate user access. If exploited, the server can internally request any network resource, which may lead to information disclosure or further lateral movement.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

No data.

Vendor Product Confidence Versions

Frappe

Erpnext

80%

Version	Status	Scheme	Platform
`16.0.1`	affected	semver	—

Frappe

Framework

80%

Version	Status	Scheme	Platform
`16.1.1`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest vendor patch or upgrade ERPNext to a version where Print Format PDF sanitization is fixed
Restrict outbound HTTP connections from the ERPNext server to internal networks or cloud metadata endpoints
Sanitize or whitelist user‑supplied HTML before PDF rendering as an interim measure
Monitor server logs for unexpected outbound HTTP requests

Generated by OpenCVE AI on April 8, 2026 at 18:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
http://frappe.com
https://github.com/PhDg1410/CVE/tree/main/CVE-2026-31017

History

Thu, 09 Apr 2026 08:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Frappe Frappe erpnext Frappe framework
Vendors & Products		Frappe Frappe erpnext Frappe framework

Wed, 08 Apr 2026 20:15:00 +0000

Type	Values Removed	Values Added
Title		SSRF in ERPNext PDF Rendering Allows Server‑Side Requests
Weaknesses		CWE-918

Wed, 08 Apr 2026 17:00:00 +0000

Type	Values Removed	Values Added
Description		A Server-Side Request Forgery (SSRF) vulnerability exists in the Print Format functionality of ERPNext v16.0.1 and Frappe Framework v16.1.1, where user-supplied HTML is insufficiently sanitized before being rendered into PDF. When generating PDFs from user-controlled HTML content, the application allows the inclusion of HTML elements such as <iframe> that reference external resources. The PDF rendering engine automatically fetches these resources on the server side. An attacker can abuse this behavior to force the server to make arbitrary HTTP requests to internal services, including cloud metadata endpoints, potentially leading to sensitive information disclosure.
References		http://frappe.com https://github.com/PhDg1410/CVE/tree/main/CVE-2026-31017

Subscriptions

Frappe Erpnext Framework

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-04-08T00:00:00.000Z

Updated: 2026-04-08T16:25:25.861Z

Reserved: 2026-03-09T00:00:00.000Z

Link: CVE-2026-31017

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-04-08T17:21:18.737

Modified: 2026-04-08T21:26:13.410

Link: CVE-2026-31017

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-09T08:22:47Z

Weaknesses

CWE-918

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object