How to fix CVE-2026-34365?

Within 24 hours: Identify all InvoiceShelf instances in production and verify current version. Within 7 days: Upgrade InvoiceShelf to version 2.2.0 or later on all affected systems. Within 30 days: Conduct network access audit of InvoiceShelf service accounts and implement principle of least privilege to restrict outbound HTTP/HTTPS requests from the application server.

CVE-2026-34365

EUVD-2026-17606 HIGH

2026-03-31 [email protected]

7.6

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

Low

Availability

None

Lifecycle Timeline

EUVD ID Assigned

Mar 31, 2026 - 20:22 euvd

EUVD-2026-17606

Analysis Generated

Mar 31, 2026 - 20:22 vuln.today

CVE Published

Mar 31, 2026 - 20:16 nvd

HIGH 7.6

Description

InvoiceShelf is an open-source web & mobile app that helps track expenses, payments and create professional invoices and estimates. Prior to version 2.2.0, a Server-Side Request Forgery (SSRF) vulnerability exists in the Estimate PDF generation module. User-supplied HTML in the estimate Notes field is passed unsanitised to the Dompdf rendering library, which will fetch any remote resources referenced in the markup. The vulnerability is exploitable directly via the PDF preview and customer view endpoints regardless of whether automated email attachments are enabled. This issue has been patched in version 2.2.0.

Analysis

Server-Side Request Forgery in InvoiceShelf 2.x allows authenticated administrators to exfiltrate internal network data via malicious HTML in estimate PDF generation. The vulnerability stems from unsanitized user input passed to the Dompdf rendering library, enabling arbitrary HTTP requests from the server. …

Remediation

Within 24 hours: Identify all InvoiceShelf instances in production and verify current version. Within 7 days: Upgrade InvoiceShelf to version 2.2.0 or later on all affected systems. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +38

POC: 0

CVE-2026-34365 vulnerability details – vuln.today

Back

CVE-2026-34365

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

CVE-2026-34365

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code