ERPNext and Frappe Framework Server-Side Request Forgery Vulnerability in PDF Generation

Vulnerability

A Server-Side Request Forgery (SSRF) vulnerability has been identified in the Print Format feature of ERPNext version 16.0.1 and Frappe Framework version 16.1.1. This vulnerability arises because user-supplied HTML is not adequately sanitized before being converted into PDF. The PDF rendering engine, which uses wkhtmltopdf, processes the HTML and fetches external resources referenced by elements like iframes. This behavior can be exploited to make arbitrary HTTP requests to internal services, including cloud metadata endpoints, potentially leading to the disclosure of sensitive information.

Impact

Exploitation of this vulnerability allows attackers to perform SSRF attacks against internal services, access cloud metadata endpoints (such as those on AWS or GCP), enumerate internal networks, and potentially retrieve sensitive information.

Added: Apr 8, 2026, 5:33 PM

Updated: Apr 8, 2026, 5:33 PM

Vulnerability Rating

Custom Algorithm

spread

2.6

impact

2.9

exploitability

4.9

remediation

0.0

relevance

5.5

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

2.6

impact

2.9

exploitability

4.9

remediation

0.0

relevance

5.5

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

ERPNext and Frappe Framework Server-Side Request Forgery Vulnerability in PDF Generation

Vulnerability

Impact

Affected Products

ERPNext

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating