What is the CVSS score of CVE-2026-33530?

CVE-2026-33530 has a CVSS 3.1 base score of 7.7 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N. EPSS exploitation probability: 0.0%.

Which versions of Python are affected by CVE-2026-33530?

InvenTree inventory management systems prior to version 1.2.6 allow authenticated users with low-level privileges to extract sensitive database information through unvalidated API filter parameters,…. A patch is available.

How to fix or mitigate CVE-2026-33530?

Within 24 hours: Identify all InvenTree deployments and document current versions. Within 7 days: Upgrade InvenTree to version 1.2.6 or later (1.3.0 recommended for additional stability). Within 30 days: Conduct access review of bulk operation API endpoints and implement principle-of-least-privilege controls for database query permissions; monitor API logs for anomalous filter parameter usage prior to upgrade.

Python CVE-2026-33530

EUVD-2026-16359 HIGH

Exposure of Sensitive Information Through Data Queries (CWE-202)

2026-03-26 GitHub_M

Python Information Disclosure

7.7

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Analysis Updated

Apr 16, 2026 - 06:13 EUVD-patch-fix

executive_summary

Re-analysis Queued

Apr 16, 2026 - 05:29 backfill_euvd_patch

patch_released

Patch available

Apr 16, 2026 - 05:29 EUVD

1.2.6

EUVD ID Assigned

Mar 26, 2026 - 20:00 euvd

EUVD-2026-16359

Analysis Generated

Mar 26, 2026 - 20:00 vuln.today

CVE Published

Mar 26, 2026 - 19:34 nvd

HIGH 7.7

DescriptionNVD

InvenTree is an Open Source Inventory Management System. Prior to version 1.2.6, certain API endpoints associated with bulk data operations can be hijacked to exfiltrate sensitive information from the database. The bulk operation API endpoints (e.g. /api/part/, /api/stock/, /api/order/so/allocation/, and others) accept a filters parameter that is passed directly to Django's ORM queryset.filter(**filters) without any field allowlisting. This enables any authenticated user to traverse model relationships using Django's __ lookup syntax and perform blind boolean-based data extraction. This issue is patched in version 1.2.6, and 1.3.0 (or above). Users should update to the patched versions. No known workarounds are available.

AnalysisAI

Authenticated attackers with low-level privileges can exfiltrate sensitive database information from InvenTree open source inventory management systems prior to version 1.2.6 by abusing unvalidated filter parameters in bulk operation API endpoints. The vulnerability enables blind boolean-based data extraction through Django ORM relationship traversal, achieving high confidentiality impact with changed scope per CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N (score 7.7). …

RemediationAI

Within 24 hours: Identify all InvenTree deployments and document current versions. Within 7 days: Upgrade InvenTree to version 1.2.6 or later (1.3.0 recommended for additional stability). …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-33530 vulnerability details – vuln.today

Back

Python CVE-2026-33530

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code