Severity by source
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N
Lifecycle Timeline
6DescriptionGitHub Advisory
InvoiceShelf is an open-source web & mobile app that helps track expenses, payments and create professional invoices and estimates. Prior to version 2.2.0, a Server-Side Request Forgery (SSRF) vulnerability exists in the Invoice PDF generation module. User-supplied HTML in the invoice Notes field is passed unsanitised to the Dompdf rendering library, which will fetch any remote resources referenced in the markup. This can be triggered via the PDF preview and email delivery endpoints. This issue has been patched in version 2.2.0.
AnalysisAI
Server-Side Request Forgery in InvoiceShelf prior to version 2.2.0 allows authenticated high-privilege users to force the server to make arbitrary HTTP requests through the invoice PDF generation module. Attackers can inject malicious HTML into the invoice Notes field, which Dompdf processes without sanitization, fetching remote resources and potentially accessing internal network services or exfiltrating data via out-of-band channels. EPSS data not available; no public exploit identified at time of analysis. The CVSS score of 7.6 reflects high confidentiality impact with scope change, indicating potential for significant internal network reconnaissance.
Technical ContextAI
The vulnerability affects InvoiceShelf's invoice PDF generation workflow, which uses the Dompdf library to render HTML invoices. Dompdf is a PHP library that converts HTML/CSS to PDF documents and by default will fetch external resources (images, stylesheets, fonts) referenced in the markup. The application fails to sanitize user-controlled HTML input in the invoice Notes field before passing it to Dompdf. This enables classic SSRF exploitation patterns through HTML elements like img tags, CSS url() functions, or iframe sources. The vulnerability is classified as CWE-918 (Server-Side Request Forgery), representing a failure to validate or restrict the destination of server-initiated network requests. Attackers with high privileges (PR:H in CVSS vector) can craft invoices containing malicious HTML that triggers requests to arbitrary URLs when the PDF preview is generated or when invoices are emailed, effectively using the application server as a proxy to access internal network resources, cloud metadata endpoints (AWS IMDSv1, Azure IMDS), or exfiltrate sensitive data through DNS queries or HTTP callbacks.
RemediationAI
Organizations should immediately upgrade to InvoiceShelf version 2.2.0, which includes patches addressing the unsanitized HTML processing vulnerability. The patched release is available at https://github.com/InvoiceShelf/InvoiceShelf/releases/tag/2.2.0. As an interim mitigation for environments where immediate patching is not feasible, restrict administrative access to the invoice creation functionality, implement network-level egress filtering to prevent the application server from making outbound connections to internal network ranges and cloud metadata endpoints (169.254.169.254, fd00:ec2::254), and monitor application server network activity for unexpected outbound requests. Review existing invoice records for suspicious HTML content in Notes fields, particularly tags like img, iframe, or CSS with url() functions pointing to internal IP addresses or sensitive endpoints. After upgrading, verify that PDF generation no longer fetches remote resources by testing with sample HTML payloads and monitoring network traffic during PDF preview operations.
More in Invoiceshelf
View allServer-Side Request Forgery in InvoiceShelf 2.x allows authenticated administrators to exfiltrate internal network data
Server-Side Request Forgery in InvoiceShelf's PDF payment receipt generation allows authenticated high-privilege users t
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17618