Cyber Resilience

CVE-2026-31017

Critical

Published: 08 April 2026

Published
08 April 2026
Modified
14 April 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0024 15.5th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-31017 is a critical-severity SSRF (CWE-918) vulnerability in Frappe Erpnext. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-4 (Information Flow Enforcement).

Deeper analysis

A Server-Side Request Forgery (SSRF) vulnerability, identified as CVE-2026-31017 and associated with CWE-918, affects the Print Format functionality in ERPNext version 16.0.1 and Frappe Framework version 16.1.1. The issue arises because user-supplied HTML is insufficiently sanitized before being rendered into PDF. This allows the inclusion of HTML elements, such as <iframe>, that reference external resources. The PDF rendering engine then automatically fetches these resources on the server side, enabling SSRF. The vulnerability has a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).

Any unauthenticated remote attacker can exploit this vulnerability by supplying malicious HTML content for PDF generation. By embedding references to arbitrary internal services—such as cloud metadata endpoints—the attacker forces the server to make unintended HTTP requests. This can result in the disclosure of sensitive information or further compromise of internal network resources, with high impact on confidentiality and integrity but no direct availability disruption.

Mitigation details and additional advisories are available in the referenced sources, including the Frappe website at http://frappe.com and a GitHub repository at https://github.com/PhDg1410/CVE/tree/main/CVE-2026-31017.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A Server-Side Request Forgery (SSRF) vulnerability exists in the Print Format functionality of ERPNext v16.0.1 and Frappe Framework v16.1.1, where user-supplied HTML is insufficiently sanitized before being rendered into PDF. When generating PDFs from user-controlled HTML content, the application allows…

more

the inclusion of HTML elements such as <iframe> that reference external resources. The PDF rendering engine automatically fetches these resources on the server side. An attacker can abuse this behavior to force the server to make arbitrary HTTP requests to internal services, including cloud metadata endpoints, potentially leading to sensitive information disclosure.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1552.005 Cloud Instance Metadata API Credential Access
Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.
Why these techniques?

SSRF in public-facing ERPNext/Frappe web app directly enables remote exploitation (T1190); description explicitly highlights forced server-side requests to cloud metadata endpoints, enabling both metadata API access (T1522) and unsecured credential retrieval (T1552.005).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-67289Same product: Frappe Erpnext
CVE-2025-65267Same product: Frappe Erpnext
CVE-2025-30212Same product: Frappe Frappe
CVE-2026-39351Same product: Frappe Frappe
CVE-2026-35614Same product: Frappe Frappe
CVE-2026-44446Same product: Frappe Erpnext
CVE-2026-31877Same product: Frappe Frappe
CVE-2026-44447Same product: Frappe Erpnext
CVE-2026-27471Same product: Frappe Erpnext
CVE-2023-54345Same product: Frappe Erpnext

Affected Assets

frappe
erpnext
16.0.1
frappe
frappe
16.1.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation and sanitization of user-supplied HTML to block dangerous elements like <iframe> before PDF rendering, directly preventing SSRF exploitation.

preventdetect

Monitors and controls outbound communications at system boundaries to block unauthorized server-side HTTP requests to internal services from the PDF renderer.

prevent

Enforces information flow control policies to restrict the application's ability to initiate unauthorized requests to internal endpoints based on user-controlled inputs.

References