VYPR

Inventree/inventree

by Inventree Project

Source repositories

CVEs (12)

  • CVE-2022-2112HigJun 17, 2022
    risk 0.50cvss 8.8epss 0.01

    Improper Neutralization of Formula Elements in a CSV File in GitHub repository inventree/inventree prior to 0.7.2.

  • CVE-2022-2111HigJun 17, 2022
    risk 0.50cvss 8.8epss 0.01

    Unrestricted Upload of File with Dangerous Type in GitHub repository inventree/inventree prior to 0.7.2.

  • CVE-2026-33530HigMar 26, 2026
    risk 0.43cvss 7.7epss 0.00

    InvenTree is an Open Source Inventory Management System. Prior to version 1.2.6, certain API endpoints associated with bulk data operations can be hijacked to exfiltrate sensitive information from the database. The bulk operation API endpoints (e.g. `/api/part/`, `/api/stock/`,…

  • CVE-2026-35476HigApr 8, 2026
    risk 0.40cvss 7.2epss 0.00

    InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, a non-staff authenticated user can elevate their account to a staff level via a POST request against their user account endpoint. The write permissions on the API endpoint are improperly…

  • CVE-2026-39362HigApr 8, 2026
    risk 0.39cvss 7.1epss 0.00

    InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, when INVENTREE_DOWNLOAD_FROM_URL is enabled (opt-in), authenticated users can supply remote_image URLs that are fetched server-side via requests.get() with only Django's URLValidator check. There…

  • CVE-2026-35479MedApr 8, 2026
    risk 0.36cvss 6.6epss 0.00

    InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, any users who have staff access permissions can install plugins via the API, without requiring "superuser" account access. This level of permission requirement is out of alignment with other…

  • CVE-2026-33531MedMar 26, 2026
    risk 0.35cvss 6.5epss 0.00

    InvenTree is an Open Source Inventory Management System. Prior to version 1.2.6, a path traversal vulnerability in the report template engine allows a staff-level user to read arbitrary files from the server filesystem via crafted template tags. Affected functions:…

  • CVE-2026-35477MedApr 8, 2026
    risk 0.29cvss 5.5epss 0.00

    InvenTree is an Open Source Inventory Management System. From 1.2.3 to 1.2.6, the fix for CVE-2026-27629 upgraded the PART_NAME_FORMAT validator to use jinja2.sandbox.SandboxedEnvironment. However, the actual renderer in part/helpers.py was not updated and still uses the…

  • CVE-2022-3355MedSep 29, 2022
    risk 0.28cvss 5.4epss 0.01

    Cross-site Scripting (XSS) - Stored in GitHub repository inventree/inventree prior to 0.8.3.

  • CVE-2026-27629Feb 25, 2026
    risk 0.00cvss epss 0.00

    InvenTree is an Open Source Inventory Management System. Prior to version 1.2.3, insecure server-side templates can be hijacked to expose secure information to the client. When generating custom batch codes, the InvenTree server makes use of a customizable jinja2 template, which…

  • CVE-2022-2134MedJun 20, 2022
    risk 0.00cvss 6.5epss 0.01

    Allocation of Resources Without Limits or Throttling in GitHub repository inventree/inventree prior to 0.8.0.

  • CVE-2022-2113MedJun 17, 2022
    risk 0.00cvss 5.4epss 0.01

    Cross-site Scripting (XSS) - Stored in GitHub repository inventree/inventree prior to 0.7.2.