Hello,

During a recent engagement, I came across an "Export to PDF" function which takes user controlled HTML and passes it to the pandoc PDF generator. While testing, I discovered that the PDF generation library is vulnerable to Server-Side Request Forgery (SSRF) when rendering PDFs from HTML containing <iframe> elements. An attacker can exploit this by embedding an iframe with a URL pointing to internal resources, potentially exposing sensitive data or interacting with internal services.