{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-13150", "assignerOrgId": "4daa8cea-433a-44bd-9456-53b127fc289a", "state": "PUBLISHED", "assignerShortName": "Secur0", "dateReserved": "2026-06-24T10:36:43.095Z", "datePublished": "2026-06-24T10:45:17.553Z", "dateUpdated": "2026-06-24T11:57:56.451Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "4daa8cea-433a-44bd-9456-53b127fc289a", "shortName": "Secur0", "dateUpdated": "2026-06-24T10:45:17.553Z"}, "title": "SSRF in Pentestify PDF generation endpoint via Host header", "datePublic": "2026-06-24T10:45:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-918", "description": "CWE-918 Server-Side request forgery (SSRF)", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-300", "descriptions": [{"lang": "en", "value": "CAPEC-300 Port Scanning"}]}], "affected": [{"vendor": "Pentestify", "product": "Pentestify", "repo": "https://github.com/ccyl13/Pentestify", "versions": [{"status": "affected", "version": "0", "lessThan": "1.1.0", "versionType": "custom"}], "defaultStatus": "unaffected"}], "cpeApplicability": [{"operator": "OR", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:pentestify:pentestify:*:*:*:*:*:*:*:*", "versionStartIncluding": "0", "versionEndExcluding": "1.1.0"}]}]}], "descriptions": [{"lang": "en", "value": "Server-Side Request Forgery (SSRF) (CWE-918) in the PDF generation endpoint GET /api/reports/{id}/pdf (backend/main.py) in ccyl13 Pentestify 1.0.0 and lower allows remote attackers to make the server issue requests to arbitrary internal or external URLs, including cloud metadata services, and return the rendered content in the resulting PDF via a crafted Host header, because the target URL is built from request.base_url without validation.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Server-Side Request Forgery (SSRF) (CWE-918) in the PDF generation endpoint <code>GET /api/reports/{id}/pdf</code> (<code>backend/main.py</code>) in ccyl13 Pentestify 1.0.0 and lower allows remote attackers to make the server issue requests to arbitrary internal or external URLs, including cloud metadata services, and return the rendered content in the resulting PDF via a crafted <code>Host</code> header, because the target URL is built from <code>request.base_url</code> without validation."}]}], "references": [{"url": "https://github.com/ccyl13/Pentestify/commit/a058a22b42c6311895622645265df79a60265b1d", "tags": ["patch"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 6.9, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N"}}], "solutions": [{"lang": "en", "value": "Upgrade to version 1.1.0 or higher", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Upgrade to version 1.1.0 or higher"}]}], "credits": [{"lang": "en", "value": "Dario Rivas Quero from Secur0 security team", "type": "finder"}, {"lang": "en", "value": "Cristian Fernandez Cornejo from Secur0 security team", "type": "finder"}, {"lang": "en", "value": "Mario Alvarez Fernandez", "type": "remediation developer"}, {"lang": "en", "value": "Xoan M. Otero Jorge", "type": "analyst"}, {"lang": "en", "value": "Secur0 CNA", "type": "coordinator"}], "source": {"discovery": "INTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.2"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-06-24T11:57:12.138307Z", "id": "CVE-2026-13150", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-24T11:57:56.451Z"}}]}}

{}

{}

{}

{"created": "2026-06-24T13:00:06.324816+00:00", "updated": "2026-06-24T13:00:06.324832+00:00", "vendors": []}