SSRF in Pentestify PDF generation endpoint via Host header
Summary
| CVE | CVE-2026-13150 |
|---|---|
| State | PUBLISHED |
| Assigner | Secur0 |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-06-24 11:16:33 UTC |
| Updated | 2026-06-25 19:58:30 UTC |
| Description | Server-Side Request Forgery (SSRF) (CWE-918) in the PDF generation endpoint GET /api/reports/{id}/pdf (backend/main.py) in ccyl13 Pentestify 1.0.0 and lower allows remote attackers to make the server issue requests to arbitrary internal or external URLs, including cloud metadata services, and return the rendered content in the resulting PDF via a crafted Host header, because the target URL is built from request.base_url without validation. |
Risk And Classification
Primary CVSS: v4.0 6.9 MEDIUM from 4daa8cea-433a-44bd-9456-53b127fc289a
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS: 0.002920000 probability, percentile 0.208160000 (date 2026-06-29)
Problem Types: CWE-918 | CWE-918 CWE-918 Server-Side request forgery (SSRF)
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 4.0 | 4daa8cea-433a-44bd-9456-53b127fc289a | Secondary | 6.9 | MEDIUM | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/C... |
| 4.0 | CNA | CVSS | 6.9 | MEDIUM | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N |
CVSS v4.0 Breakdown
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Pentestify | Pentestify | affected 1.1.0 custom | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| github.com/ccyl13/Pentestify/commit/a058a22b42c6311895622645265df79a6026... | 4daa8cea-433a-44bd-9456-53b127fc289a | github.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Dario Rivas Quero from Secur0 security team (en)
CNA: Cristian Fernandez Cornejo from Secur0 security team (en)
CNA: Mario Alvarez Fernandez (en)
CNA: Xoan M. Otero Jorge (en)
CNA: Secur0 CNA (en)
Additional Advisory Data
Solutions
CNA: Upgrade to version 1.1.0 or higher