CVE-2026-13150

SSRF in Pentestify PDF generation endpoint via Host header

CVSS 6.9 MEDIUMEPSS 0.3%CWE-918

Vexday Risk Score

13Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 6.9EPSS 0.3%KEV nãoPoC —Nuclei —Metasploit —Patch referenciado

Lifecycle

24 Jun 2026Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

Server-Side Request Forgery (SSRF) (CWE-918) in the PDF generation endpoint GET /api/reports/{id}/pdf (backend/main.py) in ccyl13 Pentestify 1.0.0 and lower allows remote attackers to make the server issue requests to arbitrary internal or external URLs, including cloud metadata services, and return the rendered content in the resulting PDF via a crafted Host header, because the target URL is built from request.base_url without validation.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N

Affected products

Pentestify · Pentestify

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/ccyl13/Pentestify/commit/a058a22b42c6311895622645265df79a60265b1d