CVE-2026-31017

CRITICAL WAF: Medium

CVSS 9.1 Published: 2026-04-08

CWE-918

A Server-Side Request Forgery (SSRF) vulnerability exists in the Print Format functionality of ERPNext v16.0.1 and Frappe Framework v16.1.1, where user-supplied HTML is insufficiently sanitized before being rendered into PDF. When generating PDFs from user-controlled HTML content, the application allows the inclusion of HTML elements such as that reference external resources. The PDF rendering engine automatically fetches these resources on the server side. An attacker can abuse this behavior to force the server to make arbitrary HTTP requests to internal services, including cloud metadata endpoints, potentially leading to sensitive information disclosure.</p> </div> <div class="space-y-6"> <div> <h2 class="text-xl font-semibold mb-3">WAF Coverage Analysis</h2> <div class="space-y-3"> <div class="rounded-lg border border-border bg-card p-4"> <div class="flex items-center justify-between mb-2"> <span class="font-medium">Server-Side Request Forgery (SSRF)</span> <span class="inline-flex items-center rounded-full px-2.5 py-0.5 text-xs font-semibold bg-yellow-500/10 text-yellow-500">Medium WAF Coverage</span> </div> <p class="text-sm text-muted-foreground mb-2">OWASP: A10:2021 SSRF</p> <div class="flex flex-wrap gap-1"><span class="inline-flex items-center rounded-full px-2.5 py-0.5 text-xs font-semibold bg-blue-500/10 text-blue-500">934xxx - Node.js / Generic Injection</span> </div> </div></div> </div> <div><h2 class='text-xl font-semibold mb-3'>Affected Software</h2><table class='w-full border border-border rounded-lg'><thead><tr class='bg-muted'><th class='px-4 py-2 text-left text-sm font-medium'>Vendor</th><th class='px-4 py-2 text-left text-sm font-medium'>Product</th><th class='px-4 py-2 text-left text-sm font-medium'>Version</th></tr></thead><tbody><tr><td class='px-4 py-2 text-sm'>frappe</td><td class='px-4 py-2 text-sm'>erpnext</td><td class='px-4 py-2 text-sm'>16.0.1</td></tr><tr><td class='px-4 py-2 text-sm'>frappe</td><td class='px-4 py-2 text-sm'>frappe</td><td class='px-4 py-2 text-sm'>16.1.1</td></tr></tbody></table></div> <div><h2 class='text-xl font-semibold mb-3'>References</h2><ul class='divide-y divide-border'><li class="py-2 border-b border-border last:border-0"><a href="http://frappe.com" class="text-primary hover:underline text-sm" rel="noopener noreferrer" target="_blank">frappe.com</a> <span class="text-xs text-muted-foreground">(Product)</span></li><li class="py-2 border-b border-border last:border-0"><a href="https://github.com/PhDg1410/CVE/tree/main/CVE-2026-31017" class="text-primary hover:underline text-sm" rel="noopener noreferrer" target="_blank">github.com</a> <span class="text-xs text-muted-foreground">(Third Party Advisory)</span></li></ul></div> </div> <div class="mt-8 pt-4 border-t border-border text-sm text-muted-foreground"> <a href="/cve/" class="text-primary hover:underline">Back to CVE Database</a> </div> </main> </body> </html>