{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-31017", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-09T20:49:57.487Z", "dateReserved": "2026-03-09T00:00:00.000Z", "datePublished": "2026-04-08T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-08T16:25:25.861Z"}, "descriptions": [{"lang": "en", "value": "A Server-Side Request Forgery (SSRF) vulnerability exists in the Print Format functionality of ERPNext v16.0.1 and Frappe Framework v16.1.1, where user-supplied HTML is insufficiently sanitized before being rendered into PDF. When generating PDFs from user-controlled HTML content, the application allows the inclusion of HTML elements such as <iframe> that reference external resources. The PDF rendering engine automatically fetches these resources on the server side. An attacker can abuse this behavior to force the server to make arbitrary HTTP requests to internal services, including cloud metadata endpoints, potentially leading to sensitive information disclosure."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "http://frappe.com"}, {"url": "https://github.com/PhDg1410/CVE/tree/main/CVE-2026-31017"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-918", "lang": "en", "description": "CWE-918 Server-Side Request Forgery (SSRF)"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-09T20:49:37.726087Z", "id": "CVE-2026-31017", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T20:49:57.487Z"}}]}, "dataVersion": "5.2"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:frappe:erpnext:16.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "3B49FE4D-85A8-44E2-9BF2-E60B7FFBAC81", "vulnerable": true}, {"criteria": "cpe:2.3:a:frappe:frappe:16.1.1:*:*:*:*:*:*:*", "matchCriteriaId": "461D4C6F-5E45-43CA-A47F-D5DDDD083786", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A Server-Side Request Forgery (SSRF) vulnerability exists in the Print Format functionality of ERPNext v16.0.1 and Frappe Framework v16.1.1, where user-supplied HTML is insufficiently sanitized before being rendered into PDF. When generating PDFs from user-controlled HTML content, the application allows the inclusion of HTML elements such as <iframe> that reference external resources. The PDF rendering engine automatically fetches these resources on the server side. An attacker can abuse this behavior to force the server to make arbitrary HTTP requests to internal services, including cloud metadata endpoints, potentially leading to sensitive information disclosure."}], "id": "CVE-2026-31017", "lastModified": "2026-04-14T15:46:59.460", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-08T17:21:18.737", "references": [{"source": "cve@mitre.org", "tags": ["Product"], "url": "http://frappe.com"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/PhDg1410/CVE/tree/main/CVE-2026-31017"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "16.0.1"}}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "erpnext", "vendor": "frappe"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "16.1.1"}}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "framework", "vendor": "frappe"}], "analysis": {"en": {"generated_at": "2026-04-14T18:05:26.156345+00:00", "value": {"mitigation_remediation": ["Verify whether an updated release of ERPNext or Frappe that addresses the SSRF has been made available on the vendor\u2019s website, and if so, apply the patch immediately.", "If no patch is available, reduce the attack surface by limiting the Print Format feature to trusted users or disabling PDF generation of user\u2011supplied HTML from unauthenticated sources.", "Strengthen network controls by adding firewall or routing rules that block outbound HTTP traffic from the ERPNext/Frappe server to internal addresses or cloud metadata endpoints that are not required for normal operation.", "Continuously monitor application logs for unexpected outbound requests to internal services, and investigate any anomalies promptly."], "summary": {"action": "Immediate Patch", "impact": "Sensitive Information Disclosure"}, "threat_synthesis": {"affected_systems": "ERPNext\u202fv16.0.1 and the underlying Frappe Framework\u202fv16.1.1 are affected. The flaw exists in the Print Format functionality that renders user\u2011supplied HTML into PDF. No other product versions are listed as affected in the available data.", "description_and_impact": "An SSRF vulnerability in the Print Format feature of ERPNext\u202fv16.0.1 and Frappe\u202fv16.1.1 permits an attacker to supply user\u2011controlled HTML containing <iframe> elements that the server fetches during PDF generation, directing the server to perform arbitrary HTTP requests to internal or cloud metadata endpoints, thereby disclosing sensitive data.", "risk_and_exploitability": "The flaw carries a CVSS score of 9.1, indicating a high impact and exploitability. The EPSS score is below 1%, suggesting a low likelihood of widespread exploitation so far, and the vulnerability is not currently cataloged by CISA's KEV list. The attack vector is inferred to be the ability to supply arbitrary HTML to the Print Format interface\u2014any user with privileges to create or modify print formats could inject malicious content and trigger the SSRF. Because the server component performs the external fetch, the impact is on the system's network, potentially exposing internal services. The high CVSS score and the data\u2011disclosure nature underscore the need for mitigation even if exploitation is currently rare."}}}}, "created": "2026-04-08T19:44:35.014433+00:00", "title": "SSRF Vulnerability in ERPNext PDF Rendering Enables Internal Resource Discovery and Data Exposure", "updated": "2026-04-15T16:15:11.955057+00:00", "vendors": ["frappe", "frappe$PRODUCT$erpnext", "frappe$PRODUCT$framework"]}