CVE-2026-31017

CRITICAL

ERPNext 16.0.1 & Frappe Framework 16.1.1 - SSRF

Title source: llm

Description

A Server-Side Request Forgery (SSRF) vulnerability exists in the Print Format functionality of ERPNext v16.0.1 and Frappe Framework v16.1.1, where user-supplied HTML is insufficiently sanitized before being rendered into PDF. When generating PDFs from user-controlled HTML content, the application allows the inclusion of HTML elements such as <iframe> that reference external resources. The PDF rendering engine automatically fetches these resources on the server side. An attacker can abuse this behavior to force the server to make arbitrary HTTP requests to internal services, including cloud metadata endpoints, potentially leading to sensitive information disclosure.

References (2)

http://frappe.com

https://github.com/PhDg1410/CVE/tree/main/CVE-2026-31017

View Writeup ZIP pw:eip

Scores

CVSS v3 9.1

EPSS 0.0004

EPSS Percentile 11.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-918

Status published

Products (2)

frappe/erpnext 16.0.1

frappe/frappe 16.1.1

Published Apr 08, 2026

Tracked Since Apr 08, 2026