VYPR

Inventree

by Inventree Project

Source repositories

CVEs (12)

  • CVE-2026-35478HigApr 8, 2026
    risk 0.47cvss 8.3epss 0.00

    InvenTree is an Open Source Inventory Management System. From 0.16.0 to before 1.2.7, any authenticated InvenTree user can create a valid API token attributed to any other user in the system — including administrators and superusers — by supplying the target's user ID in the…

  • CVE-2026-33530HigMar 26, 2026
    risk 0.43cvss 7.7epss 0.00

    InvenTree is an Open Source Inventory Management System. Prior to version 1.2.6, certain API endpoints associated with bulk data operations can be hijacked to exfiltrate sensitive information from the database. The bulk operation API endpoints (e.g. `/api/part/`, `/api/stock/`,…

  • CVE-2026-35476HigApr 8, 2026
    risk 0.40cvss 7.2epss 0.00

    InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, a non-staff authenticated user can elevate their account to a staff level via a POST request against their user account endpoint. The write permissions on the API endpoint are improperly…

  • CVE-2026-39362HigApr 8, 2026
    risk 0.39cvss 7.1epss 0.00

    InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, when INVENTREE_DOWNLOAD_FROM_URL is enabled (opt-in), authenticated users can supply remote_image URLs that are fetched server-side via requests.get() with only Django's URLValidator check. There…

  • CVE-2026-35479MedApr 8, 2026
    risk 0.36cvss 6.6epss 0.00

    InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, any users who have staff access permissions can install plugins via the API, without requiring "superuser" account access. This level of permission requirement is out of alignment with other…

  • CVE-2026-33531MedMar 26, 2026
    risk 0.35cvss 6.5epss 0.00

    InvenTree is an Open Source Inventory Management System. Prior to version 1.2.6, a path traversal vulnerability in the report template engine allows a staff-level user to read arbitrary files from the server filesystem via crafted template tags. Affected functions:…

  • CVE-2026-35477MedApr 8, 2026
    risk 0.29cvss 5.5epss 0.00

    InvenTree is an Open Source Inventory Management System. From 1.2.3 to 1.2.6, the fix for CVE-2026-27629 upgraded the PART_NAME_FORMAT validator to use jinja2.sandbox.SandboxedEnvironment. However, the actual renderer in part/helpers.py was not updated and still uses the…

  • CVE-2026-27629Feb 25, 2026
    risk 0.00cvss epss 0.00

    InvenTree is an Open Source Inventory Management System. Prior to version 1.2.3, insecure server-side templates can be hijacked to expose secure information to the client. When generating custom batch codes, the InvenTree server makes use of a customizable jinja2 template, which…

  • CVE-2025-49000Jun 3, 2025
    risk 0.00cvss epss 0.00

    InvenTree is an Open Source Inventory Management System. Prior to version 0.17.13, the skip field in the built-in `label-sheet` plugin lacks an upper bound, so a large value forces the server to allocate an enormous Python list. This lets any authenticated label-printing user…

  • CVE-2024-47610Oct 7, 2024
    risk 0.00cvss epss 0.00

    InvenTree is an Open Source Inventory Management System. In affected versions of InvenTree it is possible for a registered user to store javascript in markdown notes fields, which are then displayed to other logged in users who visit the same page and executed. The vulnerability…

  • CVE-2022-2134Jun 20, 2022
    risk 0.00cvss epss 0.01

    Allocation of Resources Without Limits or Throttling in GitHub repository inventree/inventree prior to 0.8.0.

  • CVE-2022-2113Jun 17, 2022
    risk 0.00cvss epss 0.01

    Cross-site Scripting (XSS) - Stored in GitHub repository inventree/inventree prior to 0.7.2.