CVE-2026-31017 - Vulnerability Analysis
CriticalCVSS: 9.1Last Updated: April 9, 2026
ERPNext & Frappe Framework - Server-Side Request Forgery
Published: April 8, 2026Updated: April 9, 2026Remote Exploitable
Overview
ERPNext v16.0.1 and Frappe Framework v16.1.1 contain a server-side request forgery caused by insufficient sanitization of user-supplied HTML in Print Format PDF rendering, letting attackers force server-side HTTP requests to internal services, exploit requires user-controlled HTML input.
Severity & Score
Severity: Critical
CVSS Score: 9.1
Impact
Attackers can make the server perform arbitrary HTTP requests, potentially disclosing sensitive internal information.
Mitigation
Update ERPNext and Frappe Framework to the latest versions that sanitize HTML input properly.
Related Resources
Details
- CVE ID
- CVE-2026-31017
- Severity
- Critical
- CVSS Score
- 9.1
- Type
- server_side_request_forgery
- Status
- unconfirmed
CWE
- CWE-918
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N