CVE-2026-31017

Name of the Vulnerable Software and Affected Versions ERPNext version 16.0.1 Frappe Framework version 16.1.1

Description A Server-Side Request Forgery (SSRF) exists in the Print Format functionality. Insufficient sanitization of user-supplied HTML before PDF rendering allows attackers to include HTML elements like <iframe> referencing external resources. The PDF rendering engine fetches these resources on the server side, enabling attackers to force the server to make arbitrary HTTP requests to internal services, potentially disclosing sensitive information, including cloud metadata endpoints.

Recommendations Update ERPNext to a newer version that contains a fix for this vulnerability. Update Frappe Framework to a newer version that contains a fix for this vulnerability.