CVE-2026-31017 -- CVSS 9.1 Vulnerability Briefing

CVE-2026-31017 | CVSS 9.1 (Critical) | Exploit: No known exploit

What Is It

CVE-2026-31017 is a Server-Side Request Forgery (SSRF) vulnerability in the Print Format functionality of Frappe's ERPNext v16.0.1 and Frappe Framework v16.1.1, where insufficient sanitization of user-supplied HTML enables server-side request manipulation.

Technical Detail

The flaw exists because user-controlled HTML input passed to the Print Format rendering engine is not adequately sanitized before being processed server-side, allowing an attacker to craft malicious input that causes the server to issue arbitrary HTTP requests to internal or external destinations. An authenticated attacker with access to the Print Format feature could abuse this to probe internal network services, access cloud instance metadata endpoints, or interact with backend systems not otherwise exposed to the network perimeter. Depending on the internal network topology and available services, this could facilitate credential theft, lateral movement, or further exploitation of internal infrastructure.

Exploitation Status

No known exploit code has been observed in the wild as of April 15, 2026. This vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities catalog. Exploit maturity is assessed as no known exploit at this time, though the SSRF class of vulnerability is well understood and the attack surface is accessible to authenticated users, which lowers the barrier to exploitation once the flaw is publicly documented.

Who Is Targeting This

No specific threat actor attribution at this time. No campaigns or targeted sectors have been associated with this CVE. ERPNext is widely deployed in small to mid-sized enterprises across manufacturing, retail, and services sectors, which may make it of general interest to opportunistic actors seeking access to internal business systems or financial data.

What To Do

Organizations running ERPNext v16.0.1 or Frappe Framework v16.1.1 should apply vendor-issued patches as soon as they become available and treat this as a high-priority remediation given the critical CVSS score of 9.1. As an interim measure, restrict access to the Print Format functionality to trusted, minimally privileged users and enforce egress filtering on the application server to block unauthorized outbound connections to internal network ranges and cloud metadata services such as 169.254.169.254. Network-level controls such as a web application firewall with SSRF detection rules can provide additional detection coverage. Monitor application and network logs for anomalous outbound requests originating from the ERPNext application server, particularly to internal RFC 1918 address space or metadata endpoints.