Skip to main content

Inventree CVE-2026-33531

| EUVDEUVD-2026-16361 MEDIUM
SQL Injection (CWE-89)
2026-03-26 GitHub_M
4.9
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
1.2.6
EUVD ID Assigned
Mar 26, 2026 - 20:01 euvd
EUVD-2026-16361
Analysis Generated
Mar 26, 2026 - 20:01 vuln.today
CVE Published
Mar 26, 2026 - 19:40 nvd
MEDIUM 4.9

DescriptionGitHub Advisory

InvenTree is an Open Source Inventory Management System. Prior to version 1.2.6, a path traversal vulnerability in the report template engine allows a staff-level user to read arbitrary files from the server filesystem via crafted template tags. Affected functions: encode_svg_image(), asset(), and uploaded_image() in src/backend/InvenTree/report/templatetags/report.py. This requires staff access (to upload / edit templates with maliciously crafted tags). If the InvenTree installation is configured with high access privileges on the host system, this path traversal may allow file access outside of the InvenTree source directory. This issue is patched in version 1.2.6, and 1.3.0 (or above). Users should update to the patched versions. No known workarounds are available.

AnalysisAI

InvenTree versions prior to 1.2.6 contain a path traversal vulnerability in the report template engine that allows authenticated staff users to read arbitrary files from the server filesystem through crafted template tags in the encode_svg_image(), asset(), and uploaded_image() functions. An attacker with staff privileges can exploit this to access sensitive files if the InvenTree installation runs with elevated host system permissions. Vendor-released patches are available in versions 1.2.6 and 1.3.0 or later; no public exploit code or active exploitation has been confirmed at this time.

Technical ContextAI

InvenTree is an open-source inventory management system (CPE: cpe:2.3:a:inventree:inventree) that processes user-supplied report templates containing Django template tags. The vulnerability resides in the report template tag handlers located in src/backend/InvenTree/report/templatetags/report.py. These template tag functions fail to properly validate or sanitize file paths before passing them to backend file-access operations, enabling directory traversal via sequences such as ../ or similar path manipulation techniques. This is classified as CWE-89 (SQL Injection) in the provided data, though the technical description aligns more closely with CWE-22 (Path Traversal); the discrepancy may reflect miscategorization in the source feed. The vulnerability is exploitable only by authenticated users with staff-level privileges, meaning access to the InvenTree administrative interface is a prerequisite.

RemediationAI

Immediately upgrade InvenTree to version 1.2.6 or later (recommended: 1.3.0 or above) to apply the vendor-released patch. Administrators unable to patch immediately should restrict staff account creation and template upload privileges to fully trusted users only, and monitor InvenTree logs for unusual file access patterns within report generation. If InvenTree runs in a containerized or virtualized environment, apply the principle of least privilege by limiting the service process's filesystem permissions to only necessary directories (e.g., exclude access to /etc/passwd, system configuration, or other sensitive paths). Network-level controls (restricting administrative access to InvenTree to trusted IP ranges) provide additional defense in depth. See vendor advisory at https://github.com/inventree/InvenTree/security/advisories/GHSA-rhc5-7c3r-c769 for detailed patch release notes.

CVE-2022-2112 HIGH POC
8.8 Jun 17

Improper Neutralization of Formula Elements in a CSV File in GitHub repository inventree/inventree prior to 0.7.2. Rated

CVE-2022-2111 HIGH POC
8.8 Jun 17

Unrestricted Upload of File with Dangerous Type in GitHub repository inventree/inventree prior to 0.7.2. Rated high seve

CVE-2022-2134 MEDIUM POC
6.5 Jun 20

Allocation of Resources Without Limits or Throttling in GitHub repository inventree/inventree prior to 0.8.0. Rated medi

CVE-2022-3355 MEDIUM POC
5.4 Sep 29

Cross-site Scripting (XSS) - Stored in GitHub repository inventree/inventree prior to 0.8.3. Rated medium severity (CVSS

CVE-2022-2113 MEDIUM POC
5.4 Jun 17

Cross-site Scripting (XSS) - Stored in GitHub repository inventree/inventree prior to 0.7.2. Rated medium severity (CVSS

CVE-2026-35478 HIGH
8.3 Apr 08

Authentication bypass in InvenTree open source inventory management system allows any authenticated user to generate API

CVE-2026-35476 HIGH
7.2 Apr 08

Privilege escalation in InvenTree inventory management system versions prior to 1.2.7 and 1.3.0 allows remote unauthenti

CVE-2026-35479 MEDIUM
6.6 Apr 08

InvenTree prior to versions 1.2.7 and 1.3.0 allows staff-level users to install arbitrary plugins via the API without re

CVE-2026-27629 MEDIUM
5.9 Feb 25

InvenTree prior to version 1.2.3 allows authenticated staff users to inject malicious Jinja2 template code into batch co

CVE-2024-47610 MEDIUM
5.4 Oct 07

InvenTree is an Open Source Inventory Management System. Rated medium severity (CVSS 5.4), this vulnerability is remotel

Share

CVE-2026-33531 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy