138 matches found
CVE-2026-39362
InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, when INVENTREEDOWNLOADFROMURL is enabled opt-in, authenticated users can supply remoteimage URLs that are fetched server-side via requests.get with only Django's URLValidator check. There is no validation against...
CVE-2026-39362
InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, when INVENTREEDOWNLOADFROMURL is enabled opt-in, authenticated users can supply remoteimage URLs that are fetched server-side via requests.get with only Django's URLValidator check. There is no validation against...
CVE-2026-35477
InvenTree is an Open Source Inventory Management System. From 1.2.3 to 1.2.6, the fix for CVE-2026-27629 upgraded the PARTNAMEFORMAT validator to use jinja2.sandbox.SandboxedEnvironment. However, the actual renderer in part/helpers.py was not updated and still uses the non-sandboxed...
CVE-2026-35479
InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, any users who have staff access permissions can install plugins via the API, without requiring "superuser" account access. This level of permission requirement is out of alignment with other plugin actions such as...
CVE-2026-35478
InvenTree is an Open Source Inventory Management System. From 0.16.0 to before 1.2.7, any authenticated InvenTree user can create a valid API token attributed to any other user in the system — including administrators and superusers — by supplying the target's user ID in the user field of a POST...
CVE-2026-39362
CVE-2026-39362 affects InvenTree (Open Source Inventory Management System). Before versions 1.2.7 and 1.3.0, when INVENTREE_DOWNLOAD_FROM_URL is enabled, authenticated users can supply remote_image URLs that are fetched server-side via requests.get() with only Django’s URLValidator check. There i...
CVE-2026-39362 InvenTree has SSRF via Remote Image Download — No IP/Hostname Validation on remote_image URLs
InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, when INVENTREEDOWNLOADFROMURL is enabled opt-in, authenticated users can supply remoteimage URLs that are fetched server-side via requests.get with only Django's URLValidator check. There is no validation against...
EUVD-2026-20596
InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, when INVENTREEDOWNLOADFROMURL is enabled opt-in, authenticated users can supply remoteimage URLs that are fetched server-side via requests.get with only Django's URLValidator check. There is no validation against...
EUVD-2026-20592
InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, any users who have staff access permissions can install plugins via the API, without requiring "superuser" account access. This level of permission requirement is out of alignment with other plugin actions such as...
CVE-2026-35479 InvenTree Plugin Installation - Insufficient Permissions
InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, any users who have staff access permissions can install plugins via the API, without requiring "superuser" account access. This level of permission requirement is out of alignment with other plugin actions such as...
CVE-2026-35479 InvenTree Plugin Installation - Insufficient Permissions
InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, any users who have staff access permissions can install plugins via the API, without requiring "superuser" account access. This level of permission requirement is out of alignment with other plugin actions such as...
CVE-2026-35479
CVE-2026-35479 affects InvenTree prior to versions 1.2.7 and 1.3.0, where staff users with staff access could install plugins via the API without requiring a superuser account. This bypasses the intended permission model and could enable installation of arbitrary, potentially harmful plugins. The...
CVE-2026-35476
Summary : InvenTree (Open Source Inventory Management System) contains a privilege escalation flaw present before versions 1.2.7 and 1.3.0. A non-staff authenticated user can raise their account to staff level by sending a POST request to their user account endpoint because the API endpoint’s wri...
CVE-2026-35476 InvenTree Affected by Privilege Escalation via API
InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, a non-staff authenticated user can elevate their account to a staff level via a POST request against their user account endpoint. The write permissions on the API endpoint are improperly configured, allowing any us...
CVE-2026-35476 InvenTree Affected by Privilege Escalation via API
InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, a non-staff authenticated user can elevate their account to a staff level via a POST request against their user account endpoint. The write permissions on the API endpoint are improperly configured, allowing any us...
EUVD-2026-20590
InvenTree is an Open Source Inventory Management System. From 0.16.0 to before 1.2.7, any authenticated InvenTree user can create a valid API token attributed to any other user in the system — including administrators and superusers — by supplying the target's user ID in the user field of a POST...
CVE-2026-35478 InvenTree has Arbitrary API Token Creation
InvenTree is an Open Source Inventory Management System. From 0.16.0 to before 1.2.7, any authenticated InvenTree user can create a valid API token attributed to any other user in the system — including administrators and superusers — by supplying the target's user ID in the user field of a POST...
CVE-2026-35478
CVE-2026-35478 affects InvenTree Open Source Inventory Management System (versions 0.16.0 through before 1.2.7). The issue allows any authenticated InvenTree user to create a valid API token for any other user (including admins) by supplying the target user’s ID in the POST /api/user/tokens/ requ...
CVE-2026-35478 InvenTree has Arbitrary API Token Creation
InvenTree is an Open Source Inventory Management System. From 0.16.0 to before 1.2.7, any authenticated InvenTree user can create a valid API token attributed to any other user in the system — including administrators and superusers — by supplying the target's user ID in the user field of a POST...
CVE-2026-35477
CVE-2026-35477 affects InvenTree (1.2.3–1.2.6) where the PART_NAME_FORMAT validator used jinja2.sandbox.SandboxedEnvironment, but the actual renderer in part/helpers.py still used non-sandboxed jinja2.Environment. The validator also used a dummy Part with pk=None, creating a mismatch between vali...