Server-Side Request Forgery in ERPNext and Frappe Framework
CVE-2026-31017

9.1CRITICAL

Key Information:

Vendor: Frappe
Status: ERPNext
Vendor: CVE Published:; 8 April 2026

What is CVE-2026-31017?

A vulnerability affecting ERPNext and Frappe Framework enables attackers to exploit insufficient sanitization of user-supplied HTML in the Print Format functionality. When generating PDFs, malicious users can incorporate HTML elements like , causing the server to make unauthorized requests to internal services. This could result in the exposure of sensitive data, such as information from cloud metadata endpoints, thereby compromising security.

References

http://frappe.com

https://github.com/PhDg1410/CVE/tree/main/CVE-2026-31017

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 8, 2026
Vulnerability Reserved
Mar 9, 2026

CVE-2026-31017 Data

JSON