SSRF in Pentestify PDF generation endpoint via crafted Host header

Description

Server-Side Request Forgery (SSRF) (CWE-918) in the PDF generation endpoint GET /api/reports/{id}/pdf (backend/main.py) in ccyl13 Pentestify 1.0.0 and lower allows remote attackers to make the server issue requests to arbitrary internal or external URLs, including cloud metadata services, and return the rendered content in the resulting PDF via a crafted Host header, because the target URL is built from request.base_url without validation.

Weakness type (CWE)

CWE-918: Server-Side Request Forgery (SSRF)

Attack pattern (CAPEC)

CAPEC-300: Port Scanning

Affected versions

Pentestify 1.0.0 and lower (all versions before 1.1.0). Default status: unaffected.

Score (CVSS 4.0)

6.9 — Medium

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N

Solution

Upgrade to version 1.1.0 or higher.

Patch

Commit a058a22

Credits

• Darío Rivas Quero (Secur0 security team) — finder
• Cristian Fernández Cornejo (Secur0 security team) — finder
• Mario Álvarez Fernández — remediation developer
• Xoán M. Otero Jorge — analyst
• Secur0 CNA — coordinator

Discovery source: Internal

Official record: CVE-2026-13150