CVE-2026-13150 | Server-Side Request Forgery (SSRF) (CWE-918) in the PDF gene… | CVSS 6.9 MEDIUM

Description

Server-Side Request Forgery (SSRF) (CWE-918) in the PDF generation endpoint GET /api/reports/{id}/pdf (backend/main.py) in ccyl13 Pentestify 1.0.0 and lower allows remote attackers to make the server issue requests to arbitrary internal or external URLs, including cloud metadata services, and return the rendered content in the resulting PDF via a crafted Host header, because the target URL is built from request.base_url without validation.

Metadata

CVE ID: CVE-2026-13150
State: PUBLISHED
Assigner: Secur0
Reserved: 2026-06-24 10:36 UTC
Published: 2026-06-24 10:45 UTC
Last updated: 2026-06-24 11:57 UTC
Primary CWE: CWE-918
CWE-918 Server-Side request forgery (SSRF)
Vendor / Product: Pentestify / Pentestify
Sources: cve.org · NVD

Severity & Metrics

6.9 MEDIUM CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N

SSVC — CISA Coordinator

Exploitation: none
Automatable: yes
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
Pentestify	Pentestify	—	0 < 1.1.0

Weakness (CWE)

CWE	Source	Description
CWE-918	cna	CWE-918 Server-Side request forgery (SSRF)

CVSS scores (1)

Score	Severity	Version	Source	Vector
6.9	MEDIUM	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N

References (1)

https://github.com/ccyl13/Pentestify/commit/a058a22b42c6311895622645265df79a60265b1d