Search criteria
1 vulnerability found for Pentestify by Pentestify
CVE-2026-13150 (GCVE-0-2026-13150)
Vulnerability from cvelistv5 – Published: 2026-06-24 10:45 – Updated: 2026-06-24 11:57
VLAI?
Title
SSRF in Pentestify PDF generation endpoint via Host header
Summary
Server-Side Request Forgery (SSRF) (CWE-918) in the PDF generation endpoint GET /api/reports/{id}/pdf (backend/main.py) in ccyl13 Pentestify 1.0.0 and lower allows remote attackers to make the server issue requests to arbitrary internal or external URLs, including cloud metadata services, and return the rendered content in the resulting PDF via a crafted Host header, because the target URL is built from request.base_url without validation.
Severity ?
CWE
- CWE-918 - Server-Side request forgery (SSRF)
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pentestify | Pentestify |
Affected:
0 , < 1.1.0
(custom)
|
Credits
Dario Rivas Quero from Secur0 security team
Cristian Fernandez Cornejo from Secur0 security team
Mario Alvarez Fernandez
Xoan M. Otero Jorge
Secur0 CNA
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-13150",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-24T11:57:12.138307Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T11:57:56.451Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Pentestify",
"repo": "https://github.com/ccyl13/Pentestify",
"vendor": "Pentestify",
"versions": [
{
"lessThan": "1.1.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pentestify:pentestify:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.1.0",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dario Rivas Quero from Secur0 security team"
},
{
"lang": "en",
"type": "finder",
"value": "Cristian Fernandez Cornejo from Secur0 security team"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Mario Alvarez Fernandez"
},
{
"lang": "en",
"type": "analyst",
"value": "Xoan M. Otero Jorge"
},
{
"lang": "en",
"type": "coordinator",
"value": "Secur0 CNA"
}
],
"datePublic": "2026-06-24T10:45:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Server-Side Request Forgery (SSRF) (CWE-918) in the PDF generation endpoint \u003ccode\u003eGET /api/reports/{id}/pdf\u003c/code\u003e (\u003ccode\u003ebackend/main.py\u003c/code\u003e) in ccyl13 Pentestify 1.0.0 and lower allows remote attackers to make the server issue requests to arbitrary internal or external URLs, including cloud metadata services, and return the rendered content in the resulting PDF via a crafted \u003ccode\u003eHost\u003c/code\u003e header, because the target URL is built from \u003ccode\u003erequest.base_url\u003c/code\u003e without validation."
}
],
"value": "Server-Side Request Forgery (SSRF) (CWE-918) in the PDF generation endpoint GET /api/reports/{id}/pdf (backend/main.py) in ccyl13 Pentestify 1.0.0 and lower allows remote attackers to make the server issue requests to arbitrary internal or external URLs, including cloud metadata services, and return the rendered content in the resulting PDF via a crafted Host header, because the target URL is built from request.base_url without validation."
}
],
"impacts": [
{
"capecId": "CAPEC-300",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-300 Port Scanning"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side request forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T10:45:17.553Z",
"orgId": "4daa8cea-433a-44bd-9456-53b127fc289a",
"shortName": "Secur0"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/ccyl13/Pentestify/commit/a058a22b42c6311895622645265df79a60265b1d"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Upgrade to version 1.1.0 or higher"
}
],
"value": "Upgrade to version 1.1.0 or higher"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "SSRF in Pentestify PDF generation endpoint via Host header",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "4daa8cea-433a-44bd-9456-53b127fc289a",
"assignerShortName": "Secur0",
"cveId": "CVE-2026-13150",
"datePublished": "2026-06-24T10:45:17.553Z",
"dateReserved": "2026-06-24T10:36:43.095Z",
"dateUpdated": "2026-06-24T11:57:56.451Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}