Skip to main content

Invoiceshelf CVE-2026-34365

| EUVDEUVD-2026-17606 HIGH
Server-Side Request Forgery (SSRF) (CWE-918)
2026-03-31 security-advisories@github.com
7.6
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.6 HIGH
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 06:09 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
2.2.0
EUVD ID Assigned
Mar 31, 2026 - 20:22 euvd
EUVD-2026-17606
Analysis Generated
Mar 31, 2026 - 20:22 vuln.today
CVE Published
Mar 31, 2026 - 20:16 nvd
HIGH 7.6

DescriptionGitHub Advisory

InvoiceShelf is an open-source web & mobile app that helps track expenses, payments and create professional invoices and estimates. Prior to version 2.2.0, a Server-Side Request Forgery (SSRF) vulnerability exists in the Estimate PDF generation module. User-supplied HTML in the estimate Notes field is passed unsanitised to the Dompdf rendering library, which will fetch any remote resources referenced in the markup. The vulnerability is exploitable directly via the PDF preview and customer view endpoints regardless of whether automated email attachments are enabled. This issue has been patched in version 2.2.0.

AnalysisAI

Server-Side Request Forgery in InvoiceShelf 2.x allows authenticated administrators to exfiltrate internal network data via malicious HTML in estimate PDF generation. The vulnerability stems from unsanitized user input passed to the Dompdf rendering library, enabling arbitrary HTTP requests from the server. Exploitable through PDF preview and customer view endpoints without requiring email functionality. Patched in version 2.2.0. CVSS 7.6 reflects high confidentiality impact with scope change (C:H/S:C), requiring high privileges (PR:H) but low attack complexity over network vector. No confirmed active exploitation (not in CISA KEV), but the technical barrier is low for authenticated attackers with administrative access.

Technical ContextAI

This vulnerability exploits a classic SSRF pattern (CWE-918) in PDF generation workflows using Dompdf, a popular PHP library for HTML-to-PDF conversion. InvoiceShelf's estimate module accepts user-supplied HTML in the Notes field and passes it directly to Dompdf without sanitization. Dompdf processes embedded resources (images, stylesheets, fonts) by making server-side HTTP requests to resolve URLs in the markup. An attacker with administrative privileges can inject HTML containing malicious URIs (e.g., <img src='http://internal-service:8080/admin'>) to force the application server to make requests to arbitrary destinations. The CVSS scope change (S:C) indicator reflects that the vulnerable component (Dompdf renderer) can be leveraged to attack resources beyond its security boundary-specifically, internal network services not directly exposed to the attacker. The vulnerability exists in the estimate PDF preview functionality and customer-facing view endpoints, making it exploitable through normal application workflows rather than requiring special configurations like automated email attachments.

RemediationAI

Upgrade immediately to InvoiceShelf version 2.2.0 or later, which includes input sanitization fixes for the Estimate Notes field before passing data to Dompdf. The patched release is available at https://github.com/InvoiceShelf/InvoiceShelf/releases/tag/2.2.0. Organizations unable to upgrade immediately should implement compensating controls: restrict administrative access to trusted users only, monitor server-side outbound HTTP requests for anomalous internal network destinations, implement egress filtering to prevent the application server from accessing sensitive internal networks, and consider disabling PDF preview functionality until patching is complete. Review administrative account activity logs for evidence of exploitation attempts, specifically examining estimate creation with embedded HTML image tags or stylesheet references pointing to internal IP ranges or cloud metadata endpoints.

Share

CVE-2026-34365 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy