Skip to main content

Invoiceshelf CVE-2026-34367

| EUVDEUVD-2026-17618 HIGH
Server-Side Request Forgery (SSRF) (CWE-918)
2026-03-31 GitHub_M
7.6
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.6 HIGH
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 06:10 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
2.2.0
EUVD ID Assigned
Mar 31, 2026 - 20:31 euvd
EUVD-2026-17618
Analysis Generated
Mar 31, 2026 - 20:31 vuln.today
CVE Published
Mar 31, 2026 - 20:16 nvd
HIGH 7.6

DescriptionGitHub Advisory

InvoiceShelf is an open-source web & mobile app that helps track expenses, payments and create professional invoices and estimates. Prior to version 2.2.0, a Server-Side Request Forgery (SSRF) vulnerability exists in the Invoice PDF generation module. User-supplied HTML in the invoice Notes field is passed unsanitised to the Dompdf rendering library, which will fetch any remote resources referenced in the markup. This can be triggered via the PDF preview and email delivery endpoints. This issue has been patched in version 2.2.0.

AnalysisAI

Server-Side Request Forgery in InvoiceShelf prior to version 2.2.0 allows authenticated high-privilege users to force the server to make arbitrary HTTP requests through the invoice PDF generation module. Attackers can inject malicious HTML into the invoice Notes field, which Dompdf processes without sanitization, fetching remote resources and potentially accessing internal network services or exfiltrating data via out-of-band channels. EPSS data not available; no public exploit identified at time of analysis. The CVSS score of 7.6 reflects high confidentiality impact with scope change, indicating potential for significant internal network reconnaissance.

Technical ContextAI

The vulnerability affects InvoiceShelf's invoice PDF generation workflow, which uses the Dompdf library to render HTML invoices. Dompdf is a PHP library that converts HTML/CSS to PDF documents and by default will fetch external resources (images, stylesheets, fonts) referenced in the markup. The application fails to sanitize user-controlled HTML input in the invoice Notes field before passing it to Dompdf. This enables classic SSRF exploitation patterns through HTML elements like img tags, CSS url() functions, or iframe sources. The vulnerability is classified as CWE-918 (Server-Side Request Forgery), representing a failure to validate or restrict the destination of server-initiated network requests. Attackers with high privileges (PR:H in CVSS vector) can craft invoices containing malicious HTML that triggers requests to arbitrary URLs when the PDF preview is generated or when invoices are emailed, effectively using the application server as a proxy to access internal network resources, cloud metadata endpoints (AWS IMDSv1, Azure IMDS), or exfiltrate sensitive data through DNS queries or HTTP callbacks.

RemediationAI

Organizations should immediately upgrade to InvoiceShelf version 2.2.0, which includes patches addressing the unsanitized HTML processing vulnerability. The patched release is available at https://github.com/InvoiceShelf/InvoiceShelf/releases/tag/2.2.0. As an interim mitigation for environments where immediate patching is not feasible, restrict administrative access to the invoice creation functionality, implement network-level egress filtering to prevent the application server from making outbound connections to internal network ranges and cloud metadata endpoints (169.254.169.254, fd00:ec2::254), and monitor application server network activity for unexpected outbound requests. Review existing invoice records for suspicious HTML content in Notes fields, particularly tags like img, iframe, or CSS with url() functions pointing to internal IP addresses or sensitive endpoints. After upgrading, verify that PDF generation no longer fetches remote resources by testing with sample HTML payloads and monitoring network traffic during PDF preview operations.

Share

CVE-2026-34367 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy