Skip to main content

Inventree

11 CVEs product

Monthly

CVE-2026-35479 MEDIUM PATCH This Month

InvenTree prior to versions 1.2.7 and 1.3.0 allows staff-level users to install arbitrary plugins via the API without requiring superuser privileges, enabling privilege escalation and potential code execution. The vulnerability exists because plugin installation permissions are inconsistently enforced compared to other plugin operations (such as uninstallation) that correctly require superuser access. Staff users, typically considered lower-trust accounts than superusers, can exploit this to deploy malicious plugins with full application context. No public exploit code or active exploitation has been identified at time of analysis.

Authentication Bypass Inventree
NVD GitHub
CVSS 3.1
6.6
EPSS
0.0%
CVE-2026-35478 HIGH PATCH This Week

Authentication bypass in InvenTree open source inventory management system allows any authenticated user to generate API tokens for arbitrary users, including administrators, enabling complete account takeover. Affected versions 0.16.0 through 1.2.6 permit low-privileged users to forge API credentials by manipulating the user field in POST requests to /api/user/tokens/. Resulting tokens provide full API access from any network location without requiring victim interaction. No public exploit identified at time of analysis.

Authentication Bypass Inventree
NVD GitHub
CVSS 3.1
8.3
EPSS
0.1%
CVE-2026-35476 HIGH PATCH This Week

Privilege escalation in InvenTree inventory management system versions prior to 1.2.7 and 1.3.0 allows remote unauthenticated attackers to elevate any user account to staff level through improperly secured API endpoints. Exploitation requires no special conditions beyond network access and enables unauthorized administrative access to inventory management functions. EPSS score of 0.03% (8th percentile) indicates low observed exploitation likelihood, and SSVC assessment confirms no known exploitation with non-automatable attack requiring user account creation first.

Authentication Bypass Inventree
NVD GitHub
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-33531 MEDIUM PATCH This Month

InvenTree versions prior to 1.2.6 contain a path traversal vulnerability in the report template engine that allows authenticated staff users to read arbitrary files from the server filesystem through crafted template tags in the `encode_svg_image()`, `asset()`, and `uploaded_image()` functions. An attacker with staff privileges can exploit this to access sensitive files if the InvenTree installation runs with elevated host system permissions. Vendor-released patches are available in versions 1.2.6 and 1.3.0 or later; no public exploit code or active exploitation has been confirmed at this time.

Path Traversal SQLi Inventree
NVD GitHub
CVSS 4.0
4.9
EPSS
0.0%
CVE-2026-27629 MEDIUM This Month

InvenTree prior to version 1.2.3 allows authenticated staff users to inject malicious Jinja2 template code into batch code generation functionality, enabling server-side template injection that can expose sensitive data or execute arbitrary code. Once a staff member modifies the template maliciously, any user triggering batch code generation via the API will execute the injected code within their user context. This vulnerability requires staff-level access to set up but can be exploited by lower-privileged users once the malicious template is in place.

RCE Inventree
NVD GitHub
CVSS 3.1
5.9
EPSS
0.1%
CVE-2024-47610 MEDIUM PATCH This Month

InvenTree is an Open Source Inventory Management System. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Inventree
NVD GitHub
CVSS 3.1
5.4
EPSS
0.3%
CVE-2022-3355 PyPI MEDIUM POC PATCH This Month

Cross-site Scripting (XSS) - Stored in GitHub repository inventree/inventree prior to 0.8.3. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS Inventree
NVD GitHub
CVSS 3.1
5.4
EPSS
0.6%
CVE-2022-2134 MEDIUM POC PATCH This Month

Allocation of Resources Without Limits or Throttling in GitHub repository inventree/inventree prior to 0.8.0. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Inventree
NVD GitHub
CVSS 3.1
6.5
EPSS
0.8%
CVE-2022-2113 MEDIUM POC PATCH This Month

Cross-site Scripting (XSS) - Stored in GitHub repository inventree/inventree prior to 0.7.2. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS Inventree
NVD GitHub
CVSS 3.1
5.4
EPSS
0.8%
CVE-2022-2112 PyPI HIGH POC PATCH This Week

Improper Neutralization of Formula Elements in a CSV File in GitHub repository inventree/inventree prior to 0.7.2. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Inventree
NVD GitHub
CVSS 3.1
8.8
EPSS
1.2%
CVE-2022-2111 PyPI HIGH POC PATCH This Week

Unrestricted Upload of File with Dangerous Type in GitHub repository inventree/inventree prior to 0.7.2. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

File Upload Inventree
NVD GitHub
CVSS 3.1
8.8
EPSS
1.2%
EPSS 0% CVSS 6.6
MEDIUM PATCH This Month

InvenTree prior to versions 1.2.7 and 1.3.0 allows staff-level users to install arbitrary plugins via the API without requiring superuser privileges, enabling privilege escalation and potential code execution. The vulnerability exists because plugin installation permissions are inconsistently enforced compared to other plugin operations (such as uninstallation) that correctly require superuser access. Staff users, typically considered lower-trust accounts than superusers, can exploit this to deploy malicious plugins with full application context. No public exploit code or active exploitation has been identified at time of analysis.

Authentication Bypass Inventree
NVD GitHub
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Authentication bypass in InvenTree open source inventory management system allows any authenticated user to generate API tokens for arbitrary users, including administrators, enabling complete account takeover. Affected versions 0.16.0 through 1.2.6 permit low-privileged users to forge API credentials by manipulating the user field in POST requests to /api/user/tokens/. Resulting tokens provide full API access from any network location without requiring victim interaction. No public exploit identified at time of analysis.

Authentication Bypass Inventree
NVD GitHub
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Privilege escalation in InvenTree inventory management system versions prior to 1.2.7 and 1.3.0 allows remote unauthenticated attackers to elevate any user account to staff level through improperly secured API endpoints. Exploitation requires no special conditions beyond network access and enables unauthorized administrative access to inventory management functions. EPSS score of 0.03% (8th percentile) indicates low observed exploitation likelihood, and SSVC assessment confirms no known exploitation with non-automatable attack requiring user account creation first.

Authentication Bypass Inventree
NVD GitHub
EPSS 0% CVSS 4.9
MEDIUM PATCH This Month

InvenTree versions prior to 1.2.6 contain a path traversal vulnerability in the report template engine that allows authenticated staff users to read arbitrary files from the server filesystem through crafted template tags in the `encode_svg_image()`, `asset()`, and `uploaded_image()` functions. An attacker with staff privileges can exploit this to access sensitive files if the InvenTree installation runs with elevated host system permissions. Vendor-released patches are available in versions 1.2.6 and 1.3.0 or later; no public exploit code or active exploitation has been confirmed at this time.

Path Traversal SQLi Inventree
NVD GitHub
EPSS 0% CVSS 5.9
MEDIUM This Month

InvenTree prior to version 1.2.3 allows authenticated staff users to inject malicious Jinja2 template code into batch code generation functionality, enabling server-side template injection that can expose sensitive data or execute arbitrary code. Once a staff member modifies the template maliciously, any user triggering batch code generation via the API will execute the injected code within their user context. This vulnerability requires staff-level access to set up but can be exploited by lower-privileged users once the malicious template is in place.

RCE Inventree
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

InvenTree is an Open Source Inventory Management System. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Inventree
NVD GitHub
EPSS 1% CVSS 5.4
MEDIUM POC PATCH This Month

Cross-site Scripting (XSS) - Stored in GitHub repository inventree/inventree prior to 0.8.3. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS Inventree
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM POC PATCH This Month

Allocation of Resources Without Limits or Throttling in GitHub repository inventree/inventree prior to 0.8.0. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Inventree
NVD GitHub
EPSS 1% CVSS 5.4
MEDIUM POC PATCH This Month

Cross-site Scripting (XSS) - Stored in GitHub repository inventree/inventree prior to 0.7.2. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS Inventree
NVD GitHub
EPSS 1% CVSS 8.8
HIGH POC PATCH This Week

Improper Neutralization of Formula Elements in a CSV File in GitHub repository inventree/inventree prior to 0.7.2. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Inventree
NVD GitHub
EPSS 1% CVSS 8.8
HIGH POC PATCH This Week

Unrestricted Upload of File with Dangerous Type in GitHub repository inventree/inventree prior to 0.7.2. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

File Upload Inventree
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy