Inventree/inventree
Source repositories
CVEs (12)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2022-2112 | Hig | 0.50 | 8.8 | 0.01 | Jun 17, 2022 | Improper Neutralization of Formula Elements in a CSV File in GitHub repository inventree/inventree prior to 0.7.2. | ||
| CVE-2022-2111 | Hig | 0.50 | 8.8 | 0.01 | Jun 17, 2022 | Unrestricted Upload of File with Dangerous Type in GitHub repository inventree/inventree prior to 0.7.2. | ||
| CVE-2026-33530 | Hig | 0.43 | 7.7 | 0.00 | Mar 26, 2026 | InvenTree is an Open Source Inventory Management System. Prior to version 1.2.6, certain API endpoints associated with bulk data operations can be hijacked to exfiltrate sensitive information from the database. The bulk operation API endpoints (e.g. `/api/part/`, `/api/stock/`,… | ||
| CVE-2026-35476 | Hig | 0.40 | 7.2 | 0.00 | Apr 8, 2026 | InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, a non-staff authenticated user can elevate their account to a staff level via a POST request against their user account endpoint. The write permissions on the API endpoint are improperly… | ||
| CVE-2026-39362 | Hig | 0.39 | 7.1 | 0.00 | Apr 8, 2026 | InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, when INVENTREE_DOWNLOAD_FROM_URL is enabled (opt-in), authenticated users can supply remote_image URLs that are fetched server-side via requests.get() with only Django's URLValidator check. There… | ||
| CVE-2026-35479 | Med | 0.36 | 6.6 | 0.00 | Apr 8, 2026 | InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, any users who have staff access permissions can install plugins via the API, without requiring "superuser" account access. This level of permission requirement is out of alignment with other… | ||
| CVE-2026-33531 | Med | 0.35 | 6.5 | 0.00 | Mar 26, 2026 | InvenTree is an Open Source Inventory Management System. Prior to version 1.2.6, a path traversal vulnerability in the report template engine allows a staff-level user to read arbitrary files from the server filesystem via crafted template tags. Affected functions:… | ||
| CVE-2026-35477 | Med | 0.29 | 5.5 | 0.00 | Apr 8, 2026 | InvenTree is an Open Source Inventory Management System. From 1.2.3 to 1.2.6, the fix for CVE-2026-27629 upgraded the PART_NAME_FORMAT validator to use jinja2.sandbox.SandboxedEnvironment. However, the actual renderer in part/helpers.py was not updated and still uses the… | ||
| CVE-2022-3355 | Med | 0.28 | 5.4 | 0.01 | Sep 29, 2022 | Cross-site Scripting (XSS) - Stored in GitHub repository inventree/inventree prior to 0.8.3. | ||
| CVE-2026-27629 | 0.00 | — | 0.00 | Feb 25, 2026 | InvenTree is an Open Source Inventory Management System. Prior to version 1.2.3, insecure server-side templates can be hijacked to expose secure information to the client. When generating custom batch codes, the InvenTree server makes use of a customizable jinja2 template, which… | |||
| CVE-2022-2134 | Med | 0.00 | 6.5 | 0.01 | Jun 20, 2022 | Allocation of Resources Without Limits or Throttling in GitHub repository inventree/inventree prior to 0.8.0. | ||
| CVE-2022-2113 | Med | 0.00 | 5.4 | 0.01 | Jun 17, 2022 | Cross-site Scripting (XSS) - Stored in GitHub repository inventree/inventree prior to 0.7.2. |
- risk 0.50cvss 8.8epss 0.01
Improper Neutralization of Formula Elements in a CSV File in GitHub repository inventree/inventree prior to 0.7.2.
- risk 0.50cvss 8.8epss 0.01
Unrestricted Upload of File with Dangerous Type in GitHub repository inventree/inventree prior to 0.7.2.
- risk 0.43cvss 7.7epss 0.00
InvenTree is an Open Source Inventory Management System. Prior to version 1.2.6, certain API endpoints associated with bulk data operations can be hijacked to exfiltrate sensitive information from the database. The bulk operation API endpoints (e.g. `/api/part/`, `/api/stock/`,…
- risk 0.40cvss 7.2epss 0.00
InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, a non-staff authenticated user can elevate their account to a staff level via a POST request against their user account endpoint. The write permissions on the API endpoint are improperly…
- risk 0.39cvss 7.1epss 0.00
InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, when INVENTREE_DOWNLOAD_FROM_URL is enabled (opt-in), authenticated users can supply remote_image URLs that are fetched server-side via requests.get() with only Django's URLValidator check. There…
- risk 0.36cvss 6.6epss 0.00
InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, any users who have staff access permissions can install plugins via the API, without requiring "superuser" account access. This level of permission requirement is out of alignment with other…
- risk 0.35cvss 6.5epss 0.00
InvenTree is an Open Source Inventory Management System. Prior to version 1.2.6, a path traversal vulnerability in the report template engine allows a staff-level user to read arbitrary files from the server filesystem via crafted template tags. Affected functions:…
- risk 0.29cvss 5.5epss 0.00
InvenTree is an Open Source Inventory Management System. From 1.2.3 to 1.2.6, the fix for CVE-2026-27629 upgraded the PART_NAME_FORMAT validator to use jinja2.sandbox.SandboxedEnvironment. However, the actual renderer in part/helpers.py was not updated and still uses the…
- risk 0.28cvss 5.4epss 0.01
Cross-site Scripting (XSS) - Stored in GitHub repository inventree/inventree prior to 0.8.3.
- CVE-2026-27629Feb 25, 2026risk 0.00cvss —epss 0.00
InvenTree is an Open Source Inventory Management System. Prior to version 1.2.3, insecure server-side templates can be hijacked to expose secure information to the client. When generating custom batch codes, the InvenTree server makes use of a customizable jinja2 template, which…
- risk 0.00cvss 6.5epss 0.01
Allocation of Resources Without Limits or Throttling in GitHub repository inventree/inventree prior to 0.8.0.
- risk 0.00cvss 5.4epss 0.01
Cross-site Scripting (XSS) - Stored in GitHub repository inventree/inventree prior to 0.7.2.