CVE-2026-39362

InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, when INVENTREEDOWNLOADFROMURL is enabled opt-in, authenticated users can supply remoteimage URLs that are fetched server-side via requests.get with only Django's URLValidator check. There is no validation against...

EUVD-2026-20590

InvenTree is an Open Source Inventory Management System. From 0.16.0 to before 1.2.7, any authenticated InvenTree user can create a valid API token attributed to any other user in the system — including administrators and superusers — by supplying the target's user ID in the user field of a POST...

InvenTree 安全漏洞

InvenTree is an open-source inventory management system developed by InvenTree. It provides robust low-level inventory control and parts tracking capabilities. Versions of InvenTree from 0.16.0 to 1.2.7 contained security vulnerabilities. These vulnerabilities allowed any authenticated user to...

CVE-2026-33531

CVE-2026-33531 affects InvenTree prior to 1.2.6. A path traversal vulnerability in the report template engine allows a staff-level user to read arbitrary server files via crafted template tags in report.py (encode_svg_image(), asset(), uploaded_image()). Exploitation requires staff access to uplo...

EUVD-2026-8602

InvenTree is an Open Source Inventory Management System. Prior to version 1.2.3, insecure server-side templates can be hijacked to expose secure information to the client. When generating custom batch codes, the InvenTree server makes use of a customizable jinja2 template, which can be modified b...

EUVD-2025-16786

Malicious code in bioql PyPI...

EUVD-2024-42543

Malicious code in bioql PyPI...

CVE-2025-49000

InvenTree is an Open Source Inventory Management System. Prior to version 0.17.13, the skip field in the built-in label-sheet plugin lacks an upper bound, so a large value forces the server to allocate an enormous Python list. This lets any authenticated label-printing user trigger a...

CVE-2025-49000

InvenTree (before v0.17.13) has an unbounded skip field in the built-in label-sheet plugin. An authenticated label-printing user can trigger a denial-of-service via memory exhaustion by supplying a large value, as described in CVE-2025-49000. The issue is fixed in v0.17.13 and higher. No workarou...

inventree-digikey-integration (>=0.1.1 <=1.0.0), kintree (>=1.1.0 <=1.1.3) potentially affected by unknown CVE via inventree (>=0.13.5 <=0.14.0)

inventree PYPI version =0.13.5, =0.1.1, =1.1.0, =1.1.3 Source cves: unknown CVE Source advisory: OSV:GHSA-VX3H-QWQW-R2WQ...

InvenTree 代码问题漏洞

InvenTree is an open source inventory management system from InvenTree Open Source. Provides powerful low-level inventory control and parts tracking . A file upload vulnerability exists in InvenTree versions prior to 0.7.2, which stems from the application's lack of effective validation of upload...