CVE Catalog

CVE-2026-13150

MediumCVSS 6.9
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.29%

21th percentile — higher than 21% of all known CVEs

Summary

In ccyl13 Pentestify version 1.0.0 and lower, there is a Server-Side Request Forgery (SSRF) vulnerability in the PDF generation endpoint. An attacker can exploit this flaw to send requests to arbitrary internal or external URLs, potentially leading to the exposure of sensitive data.

Risk Assessment

This vulnerability poses a risk that an attacker could access internal resources or services, which may lead to serious security breaches and data loss.

Recommendation

It is recommended to update the system to the latest version that includes security patches and to implement URL validation in the PDF generation endpoint.

Original NVD description (English source)

Server-Side Request Forgery (SSRF) (CWE-918) in the PDF generation endpoint GET /api/reports/{id}/pdf (backend/main.py) in ccyl13 Pentestify 1.0.0 and lower allows remote attackers to make the server issue requests to arbitrary internal or external URLs, including cloud metadata services, and return the rendered content in the resulting PDF via a crafted Host header, because the target URL is built from request.base_url without validation.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS