Inventree Project
Products
2- 14 CVEs
- 12 CVEs
Recent CVEs
15| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-35478 | Hig | 0.47 | 8.3 | 0.00 | Apr 8, 2026 | InvenTree is an Open Source Inventory Management System. From 0.16.0 to before 1.2.7, any authenticated InvenTree user can create a valid API token attributed to any other user in the system — including administrators and superusers — by supplying the target's user ID in the… | ||
| CVE-2026-33530 | Hig | 0.43 | 7.7 | 0.00 | Mar 26, 2026 | InvenTree is an Open Source Inventory Management System. Prior to version 1.2.6, certain API endpoints associated with bulk data operations can be hijacked to exfiltrate sensitive information from the database. The bulk operation API endpoints (e.g. `/api/part/`, `/api/stock/`,… | ||
| CVE-2026-35476 | Hig | 0.40 | 7.2 | 0.00 | Apr 8, 2026 | InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, a non-staff authenticated user can elevate their account to a staff level via a POST request against their user account endpoint. The write permissions on the API endpoint are improperly… | ||
| CVE-2026-39362 | Hig | 0.39 | 7.1 | 0.00 | Apr 8, 2026 | InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, when INVENTREE_DOWNLOAD_FROM_URL is enabled (opt-in), authenticated users can supply remote_image URLs that are fetched server-side via requests.get() with only Django's URLValidator check. There… | ||
| CVE-2026-35479 | Med | 0.36 | 6.6 | 0.00 | Apr 8, 2026 | InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, any users who have staff access permissions can install plugins via the API, without requiring "superuser" account access. This level of permission requirement is out of alignment with other… | ||
| CVE-2026-33531 | Med | 0.35 | 6.5 | 0.00 | Mar 26, 2026 | InvenTree is an Open Source Inventory Management System. Prior to version 1.2.6, a path traversal vulnerability in the report template engine allows a staff-level user to read arbitrary files from the server filesystem via crafted template tags. Affected functions:… | ||
| CVE-2026-35477 | Med | 0.29 | 5.5 | 0.00 | Apr 8, 2026 | InvenTree is an Open Source Inventory Management System. From 1.2.3 to 1.2.6, the fix for CVE-2026-27629 upgraded the PART_NAME_FORMAT validator to use jinja2.sandbox.SandboxedEnvironment. However, the actual renderer in part/helpers.py was not updated and still uses the… | ||
| CVE-2026-27629 | 0.00 | — | 0.00 | Feb 25, 2026 | InvenTree is an Open Source Inventory Management System. Prior to version 1.2.3, insecure server-side templates can be hijacked to expose secure information to the client. When generating custom batch codes, the InvenTree server makes use of a customizable jinja2 template, which… | |||
| CVE-2025-49000 | 0.00 | — | 0.00 | Jun 3, 2025 | InvenTree is an Open Source Inventory Management System. Prior to version 0.17.13, the skip field in the built-in `label-sheet` plugin lacks an upper bound, so a large value forces the server to allocate an enormous Python list. This lets any authenticated label-printing user… | |||
| CVE-2024-47610 | 0.00 | — | 0.00 | Oct 7, 2024 | InvenTree is an Open Source Inventory Management System. In affected versions of InvenTree it is possible for a registered user to store javascript in markdown notes fields, which are then displayed to other logged in users who visit the same page and executed. The vulnerability… | |||
| CVE-2022-3355 | 0.00 | — | 0.01 | Sep 29, 2022 | Cross-site Scripting (XSS) - Stored in GitHub repository inventree/inventree prior to 0.8.3. | |||
| CVE-2022-2134 | 0.00 | — | 0.01 | Jun 20, 2022 | Allocation of Resources Without Limits or Throttling in GitHub repository inventree/inventree prior to 0.8.0. | |||
| CVE-2022-2113 | 0.00 | — | 0.01 | Jun 17, 2022 | Cross-site Scripting (XSS) - Stored in GitHub repository inventree/inventree prior to 0.7.2. | |||
| CVE-2022-2112 | 0.00 | — | 0.01 | Jun 17, 2022 | Improper Neutralization of Formula Elements in a CSV File in GitHub repository inventree/inventree prior to 0.7.2. | |||
| CVE-2022-2111 | 0.00 | — | 0.01 | Jun 17, 2022 | Unrestricted Upload of File with Dangerous Type in GitHub repository inventree/inventree prior to 0.7.2. |
- risk 0.47cvss 8.3epss 0.00
InvenTree is an Open Source Inventory Management System. From 0.16.0 to before 1.2.7, any authenticated InvenTree user can create a valid API token attributed to any other user in the system — including administrators and superusers — by supplying the target's user ID in the…
- risk 0.43cvss 7.7epss 0.00
InvenTree is an Open Source Inventory Management System. Prior to version 1.2.6, certain API endpoints associated with bulk data operations can be hijacked to exfiltrate sensitive information from the database. The bulk operation API endpoints (e.g. `/api/part/`, `/api/stock/`,…
- risk 0.40cvss 7.2epss 0.00
InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, a non-staff authenticated user can elevate their account to a staff level via a POST request against their user account endpoint. The write permissions on the API endpoint are improperly…
- risk 0.39cvss 7.1epss 0.00
InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, when INVENTREE_DOWNLOAD_FROM_URL is enabled (opt-in), authenticated users can supply remote_image URLs that are fetched server-side via requests.get() with only Django's URLValidator check. There…
- risk 0.36cvss 6.6epss 0.00
InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, any users who have staff access permissions can install plugins via the API, without requiring "superuser" account access. This level of permission requirement is out of alignment with other…
- risk 0.35cvss 6.5epss 0.00
InvenTree is an Open Source Inventory Management System. Prior to version 1.2.6, a path traversal vulnerability in the report template engine allows a staff-level user to read arbitrary files from the server filesystem via crafted template tags. Affected functions:…
- risk 0.29cvss 5.5epss 0.00
InvenTree is an Open Source Inventory Management System. From 1.2.3 to 1.2.6, the fix for CVE-2026-27629 upgraded the PART_NAME_FORMAT validator to use jinja2.sandbox.SandboxedEnvironment. However, the actual renderer in part/helpers.py was not updated and still uses the…
- CVE-2026-27629Feb 25, 2026risk 0.00cvss —epss 0.00
InvenTree is an Open Source Inventory Management System. Prior to version 1.2.3, insecure server-side templates can be hijacked to expose secure information to the client. When generating custom batch codes, the InvenTree server makes use of a customizable jinja2 template, which…
- CVE-2025-49000Jun 3, 2025risk 0.00cvss —epss 0.00
InvenTree is an Open Source Inventory Management System. Prior to version 0.17.13, the skip field in the built-in `label-sheet` plugin lacks an upper bound, so a large value forces the server to allocate an enormous Python list. This lets any authenticated label-printing user…
- CVE-2024-47610Oct 7, 2024risk 0.00cvss —epss 0.00
InvenTree is an Open Source Inventory Management System. In affected versions of InvenTree it is possible for a registered user to store javascript in markdown notes fields, which are then displayed to other logged in users who visit the same page and executed. The vulnerability…
- CVE-2022-3355Sep 29, 2022risk 0.00cvss —epss 0.01
Cross-site Scripting (XSS) - Stored in GitHub repository inventree/inventree prior to 0.8.3.
- CVE-2022-2134Jun 20, 2022risk 0.00cvss —epss 0.01
Allocation of Resources Without Limits or Throttling in GitHub repository inventree/inventree prior to 0.8.0.
- CVE-2022-2113Jun 17, 2022risk 0.00cvss —epss 0.01
Cross-site Scripting (XSS) - Stored in GitHub repository inventree/inventree prior to 0.7.2.
- CVE-2022-2112Jun 17, 2022risk 0.00cvss —epss 0.01
Improper Neutralization of Formula Elements in a CSV File in GitHub repository inventree/inventree prior to 0.7.2.
- CVE-2022-2111Jun 17, 2022risk 0.00cvss —epss 0.01
Unrestricted Upload of File with Dangerous Type in GitHub repository inventree/inventree prior to 0.7.2.