cbcvebase.

Inventree Project Inventree vulnerabilities

15 known vulnerabilities affecting inventree_project/inventree.

Total CVEs
15
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH5MEDIUM9

Vulnerabilities

Page 1 of 1
CVE-2026-35477P2CRITICALCVSS 9.9≥ 1.2.3, ≤ 1.2.62026-04-08
CVE-2026-35477 [CRITICAL] CVE-2026-35477: InvenTree is an Open Source Inventory Management System. From 1.2.3 to 1.2.6, the fix for CVE-2026-2 InvenTree is an Open Source Inventory Management System. From 1.2.3 to 1.2.6, the fix for CVE-2026-27629 upgraded the PART_NAME_FORMAT validator to use jinja2.sandbox.SandboxedEnvironment. However, the actual renderer in part/helpers.py was not updated and still uses the non-sandboxed jinja2.Environment. Additionally, the validator uses a dummy Part insta
nvd
CVE-2026-35478P3HIGHCVSS 8.1≥ 0.16.0, ≤ 1.2.62026-04-08
CVE-2026-35478 [HIGH] CWE-639 CVE-2026-35478: InvenTree is an Open Source Inventory Management System. From 0.16.0 to before 1.2.7, any authentica InvenTree is an Open Source Inventory Management System. From 0.16.0 to before 1.2.7, any authenticated InvenTree user can create a valid API token attributed to any other user in the system — including administrators and superusers — by supplying the target's user ID in the user field of a POST /api/user/tokens/ request. The returned token is immedia
nvd
CVE-2026-27629P3HIGHCVSS 8.8fixed in 1.2.32026-02-25
CVE-2026-27629 [HIGH] CWE-1336 CVE-2026-27629: InvenTree is an Open Source Inventory Management System. Prior to version 1.2.3, insecure server-sid InvenTree is an Open Source Inventory Management System. Prior to version 1.2.3, insecure server-side templates can be hijacked to expose secure information to the client. When generating custom batch codes, the InvenTree server makes use of a customizable jinja2 template, which can be modified by a staff user to exfiltrate sensitive information or p
nvd
CVE-2022-2111P3HIGHCVSS 8.8fixed in 0.7.22022-06-17
CVE-2022-2111 [HIGH] CWE-434 CVE-2022-2111: Unrestricted Upload of File with Dangerous Type in GitHub repository inventree/inventree prior to 0. Unrestricted Upload of File with Dangerous Type in GitHub repository inventree/inventree prior to 0.7.2.
nvd
CVE-2026-33531P3MEDIUMCVSS 6.5fixed in 1.2.62026-03-26
CVE-2026-33531 [MEDIUM] CWE-89 CVE-2026-33531: InvenTree is an Open Source Inventory Management System. Prior to version 1.2.6, a path traversal vu InvenTree is an Open Source Inventory Management System. Prior to version 1.2.6, a path traversal vulnerability in the report template engine allows a staff-level user to read arbitrary files from the server filesystem via crafted template tags. Affected functions: `encode_svg_image()`, `asset()`, and `uploaded_image()` in `src/backend/InvenTree/repo
nvd
CVE-2026-39362P3HIGHCVSS 7.1fixed in 1.2.72026-04-08
CVE-2026-39362 [HIGH] CWE-918 CVE-2026-39362: InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, when INVENTREE_DO InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, when INVENTREE_DOWNLOAD_FROM_URL is enabled (opt-in), authenticated users can supply remote_image URLs that are fetched server-side via requests.get() with only Django's URLValidator check. There is no validation against private IP ranges or internal hostnames. Redirect
nvd
CVE-2022-2112P3HIGHCVSS 8.8fixed in 0.7.22022-06-17
CVE-2022-2112 [HIGH] CWE-1236 CVE-2022-2112: Improper Neutralization of Formula Elements in a CSV File in GitHub repository inventree/inventree p Improper Neutralization of Formula Elements in a CSV File in GitHub repository inventree/inventree prior to 0.7.2.
nvd
CVE-2026-33530P3MEDIUMCVSS 6.5fixed in 1.2.62026-03-26
CVE-2026-33530 [MEDIUM] CWE-202 CVE-2026-33530: InvenTree is an Open Source Inventory Management System. Prior to version 1.2.6, certain API endpoin InvenTree is an Open Source Inventory Management System. Prior to version 1.2.6, certain API endpoints associated with bulk data operations can be hijacked to exfiltrate sensitive information from the database. The bulk operation API endpoints (e.g. `/api/part/`, `/api/stock/`, `/api/order/so/allocation/`, and others) accept a filters parameter that
nvd
CVE-2025-49000P4MEDIUMCVSS 5.7fixed in 0.17.132025-06-03
CVE-2025-49000 [MEDIUM] CWE-400 CVE-2025-49000: InvenTree is an Open Source Inventory Management System. Prior to version 0.17.13, the skip field in InvenTree is an Open Source Inventory Management System. Prior to version 0.17.13, the skip field in the built-in `label-sheet` plugin lacks an upper bound, so a large value forces the server to allocate an enormous Python list. This lets any authenticated label-printing user trigger a denial-of-service via memory exhaustion. the issue is fixed in v
nvd
CVE-2024-47610P4MEDIUMCVSS 5.4fixed in 0.16.52024-10-07
CVE-2024-47610 [MEDIUM] CWE-79 CVE-2024-47610: InvenTree is an Open Source Inventory Management System. In affected versions of InvenTree it is pos InvenTree is an Open Source Inventory Management System. In affected versions of InvenTree it is possible for a registered user to store javascript in markdown notes fields, which are then displayed to other logged in users who visit the same page and executed. The vulnerability has been addressed as follows: 1. HTML sanitization has been enabled in
nvd
CVE-2026-35479P4MEDIUMCVSS 4.7fixed in 1.2.72026-04-08
CVE-2026-35479 [MEDIUM] CWE-285 CVE-2026-35479: InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, any users who hav InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, any users who have staff access permissions can install plugins via the API, without requiring "superuser" account access. This level of permission requirement is out of alignment with other plugin actions (such as uninstalling) which do require superuser access. The
nvd
CVE-2022-2113P4MEDIUMCVSS 5.4fixed in 0.7.22022-06-17
CVE-2022-2113 [MEDIUM] CWE-79 CVE-2022-2113: Cross-site Scripting (XSS) - Stored in GitHub repository inventree/inventree prior to 0.7.2. Cross-site Scripting (XSS) - Stored in GitHub repository inventree/inventree prior to 0.7.2.
nvd
CVE-2022-3355P4MEDIUMCVSS 5.4fixed in 0.8.32022-09-29
CVE-2022-3355 [MEDIUM] CWE-79 CVE-2022-3355: Cross-site Scripting (XSS) - Stored in GitHub repository inventree/inventree prior to 0.8.3. Cross-site Scripting (XSS) - Stored in GitHub repository inventree/inventree prior to 0.8.3.
nvd
CVE-2022-2134P4MEDIUMCVSS 6.5fixed in 0.8.02022-06-20
CVE-2022-2134 [MEDIUM] CWE-770 CVE-2022-2134: Allocation of Resources Without Limits or Throttling in GitHub repository inventree/inventree prior Allocation of Resources Without Limits or Throttling in GitHub repository inventree/inventree prior to 0.8.0.
nvd
CVE-2026-35476P4MEDIUMCVSS 4.3≤ 1.2.62026-04-08
CVE-2026-35476 [MEDIUM] CWE-285 CVE-2026-35476: InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, a non-staff authe InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, a non-staff authenticated user can elevate their account to a staff level via a POST request against their user account endpoint. The write permissions on the API endpoint are improperly configured, allowing any user to change their staff status. This vulnerability is
nvd
Inventree Project Inventree vulnerabilities | cvebase