The server converted my supplied HTML into PDF, so I dropped in a <meta http-equiv="refresh" content="0;url=http://10.20.x.x/"> tag and got the backend to fetch responses from the internal network. I was able to access an API on internal network at 10.20.x.x, but the program team wanted more impact. With help from @mcipekci, we scanned all ports on 127.0.0.1 and ended up finding an OpenPrinting CUPS server exposed on port 631. The program team finally accepted the report as High severity. When you land an SSRF, don’t just check the default localhost port. Enumerate all common ports on localhost.