Severity by source
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N
Lifecycle Timeline
6DescriptionGitHub Advisory
InvoiceShelf is an open-source web & mobile app that helps track expenses, payments and create professional invoices and estimates. Prior to version 2.2.0, a Server-Side Request Forgery (SSRF) vulnerability exists in the Estimate PDF generation module. User-supplied HTML in the estimate Notes field is passed unsanitised to the Dompdf rendering library, which will fetch any remote resources referenced in the markup. The vulnerability is exploitable directly via the PDF preview and customer view endpoints regardless of whether automated email attachments are enabled. This issue has been patched in version 2.2.0.
AnalysisAI
Server-Side Request Forgery in InvoiceShelf 2.x allows authenticated administrators to exfiltrate internal network data via malicious HTML in estimate PDF generation. The vulnerability stems from unsanitized user input passed to the Dompdf rendering library, enabling arbitrary HTTP requests from the server. Exploitable through PDF preview and customer view endpoints without requiring email functionality. Patched in version 2.2.0. CVSS 7.6 reflects high confidentiality impact with scope change (C:H/S:C), requiring high privileges (PR:H) but low attack complexity over network vector. No confirmed active exploitation (not in CISA KEV), but the technical barrier is low for authenticated attackers with administrative access.
Technical ContextAI
This vulnerability exploits a classic SSRF pattern (CWE-918) in PDF generation workflows using Dompdf, a popular PHP library for HTML-to-PDF conversion. InvoiceShelf's estimate module accepts user-supplied HTML in the Notes field and passes it directly to Dompdf without sanitization. Dompdf processes embedded resources (images, stylesheets, fonts) by making server-side HTTP requests to resolve URLs in the markup. An attacker with administrative privileges can inject HTML containing malicious URIs (e.g., <img src='http://internal-service:8080/admin'>) to force the application server to make requests to arbitrary destinations. The CVSS scope change (S:C) indicator reflects that the vulnerable component (Dompdf renderer) can be leveraged to attack resources beyond its security boundary-specifically, internal network services not directly exposed to the attacker. The vulnerability exists in the estimate PDF preview functionality and customer-facing view endpoints, making it exploitable through normal application workflows rather than requiring special configurations like automated email attachments.
RemediationAI
Upgrade immediately to InvoiceShelf version 2.2.0 or later, which includes input sanitization fixes for the Estimate Notes field before passing data to Dompdf. The patched release is available at https://github.com/InvoiceShelf/InvoiceShelf/releases/tag/2.2.0. Organizations unable to upgrade immediately should implement compensating controls: restrict administrative access to trusted users only, monitor server-side outbound HTTP requests for anomalous internal network destinations, implement egress filtering to prevent the application server from accessing sensitive internal networks, and consider disabling PDF preview functionality until patching is complete. Review administrative account activity logs for evidence of exploitation attempts, specifically examining estimate creation with embedded HTML image tags or stylesheet references pointing to internal IP ranges or cloud metadata endpoints.
More in Invoiceshelf
View allServer-Side Request Forgery in InvoiceShelf prior to version 2.2.0 allows authenticated high-privilege users to force th
Server-Side Request Forgery in InvoiceShelf's PDF payment receipt generation allows authenticated high-privilege users t
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17606