CVE-2026-13150

Vulnerability Description

Server-Side Request Forgery (SSRF) (CWE-918) in the PDF generation endpoint GET /api/reports/{id}/pdf (backend/main.py) in ccyl13 Pentestify 1.0.0 and lower allows remote attackers to make the server issue requests to arbitrary internal or external URLs, including cloud metadata services, and return the rendered content in the resulting PDF via a crafted Host header, because the target URL is built from request.base_url without validation.

Vulnerability Details

Published Date

June 24, 2026

Last Modified

June 24, 2026

CWE ID

CWE-918

Source

NVD

Vendor

Pentestify

Product

Pentestify

External References

https://github.com/ccyl13/Pentestify/commit/a058a22b42c6311895622645265df79a60265b1d

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment