Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionGitHub Advisory
InvenTree is an Open Source Inventory Management System. Prior to version 1.2.6, a path traversal vulnerability in the report template engine allows a staff-level user to read arbitrary files from the server filesystem via crafted template tags. Affected functions: encode_svg_image(), asset(), and uploaded_image() in src/backend/InvenTree/report/templatetags/report.py. This requires staff access (to upload / edit templates with maliciously crafted tags). If the InvenTree installation is configured with high access privileges on the host system, this path traversal may allow file access outside of the InvenTree source directory. This issue is patched in version 1.2.6, and 1.3.0 (or above). Users should update to the patched versions. No known workarounds are available.
AnalysisAI
InvenTree versions prior to 1.2.6 contain a path traversal vulnerability in the report template engine that allows authenticated staff users to read arbitrary files from the server filesystem through crafted template tags in the encode_svg_image(), asset(), and uploaded_image() functions. An attacker with staff privileges can exploit this to access sensitive files if the InvenTree installation runs with elevated host system permissions. Vendor-released patches are available in versions 1.2.6 and 1.3.0 or later; no public exploit code or active exploitation has been confirmed at this time.
Technical ContextAI
InvenTree is an open-source inventory management system (CPE: cpe:2.3:a:inventree:inventree) that processes user-supplied report templates containing Django template tags. The vulnerability resides in the report template tag handlers located in src/backend/InvenTree/report/templatetags/report.py. These template tag functions fail to properly validate or sanitize file paths before passing them to backend file-access operations, enabling directory traversal via sequences such as ../ or similar path manipulation techniques. This is classified as CWE-89 (SQL Injection) in the provided data, though the technical description aligns more closely with CWE-22 (Path Traversal); the discrepancy may reflect miscategorization in the source feed. The vulnerability is exploitable only by authenticated users with staff-level privileges, meaning access to the InvenTree administrative interface is a prerequisite.
RemediationAI
Immediately upgrade InvenTree to version 1.2.6 or later (recommended: 1.3.0 or above) to apply the vendor-released patch. Administrators unable to patch immediately should restrict staff account creation and template upload privileges to fully trusted users only, and monitor InvenTree logs for unusual file access patterns within report generation. If InvenTree runs in a containerized or virtualized environment, apply the principle of least privilege by limiting the service process's filesystem permissions to only necessary directories (e.g., exclude access to /etc/passwd, system configuration, or other sensitive paths). Network-level controls (restricting administrative access to InvenTree to trusted IP ranges) provide additional defense in depth. See vendor advisory at https://github.com/inventree/InvenTree/security/advisories/GHSA-rhc5-7c3r-c769 for detailed patch release notes.
Improper Neutralization of Formula Elements in a CSV File in GitHub repository inventree/inventree prior to 0.7.2. Rated
Unrestricted Upload of File with Dangerous Type in GitHub repository inventree/inventree prior to 0.7.2. Rated high seve
Allocation of Resources Without Limits or Throttling in GitHub repository inventree/inventree prior to 0.8.0. Rated medi
Cross-site Scripting (XSS) - Stored in GitHub repository inventree/inventree prior to 0.8.3. Rated medium severity (CVSS
Cross-site Scripting (XSS) - Stored in GitHub repository inventree/inventree prior to 0.7.2. Rated medium severity (CVSS
Authentication bypass in InvenTree open source inventory management system allows any authenticated user to generate API
Privilege escalation in InvenTree inventory management system versions prior to 1.2.7 and 1.3.0 allows remote unauthenti
InvenTree prior to versions 1.2.7 and 1.3.0 allows staff-level users to install arbitrary plugins via the API without re
InvenTree prior to version 1.2.3 allows authenticated staff users to inject malicious Jinja2 template code into batch co
InvenTree is an Open Source Inventory Management System. Rated medium severity (CVSS 5.4), this vulnerability is remotel
Same weakness CWE-89 – SQL Injection
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-16361