CVE-2026-13150 PUBLISHED

SSRF in Pentestify PDF generation endpoint via Host header

Assigner: Secur0
Reserved: 24.06.2026 Published: 24.06.2026 Updated: 24.06.2026

Server-Side Request Forgery (SSRF) (CWE-918) in the PDF generation endpoint GET /api/reports/{id}/pdf (backend/main.py) in ccyl13 Pentestify 1.0.0 and lower allows remote attackers to make the server issue requests to arbitrary internal or external URLs, including cloud metadata services, and return the rendered content in the resulting PDF via a crafted Host header, because the target URL is built from request.base_url without validation.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N
CVSS Score: 6.9

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	None	Confidentiality	Low
Attack Complexity	Low	Integrity	None	Integrity	None
Attack Requirements	None	Availability	None	Availability	None
Privileges Required	None
User Interaction	None

CVSS 4.0

Product Status

Vendor	Pentestify
Product	Pentestify
Versions	Default: unaffected affected from 0 to 1.1.0 (excl.)

Solutions

Upgrade to version 1.1.0 or higher

Credits

Dario Rivas Quero from Secur0 security team finder
Cristian Fernandez Cornejo from Secur0 security team finder
Mario Alvarez Fernandez remediation developer
Xoan M. Otero Jorge analyst
Secur0 CNA coordinator

References

https://github.com/ccyl13/Pentestify/commit/a058a22b42c6311895622645265df79a60265b1d

Problem Types

CWE-918 Server-Side request forgery (SSRF) CWE

Impacts

CAPEC-300 Port Scanning