138 matches found
CVE-2026-33530
InvenTree is an Open Source Inventory Management System. Prior to version 1.2.6, certain API endpoints associated with bulk data operations can be hijacked to exfiltrate sensitive information from the database. The bulk operation API endpoints e.g. /api/part/, /api/stock/,...
CVE-2026-33530 InvenTree Vulnerable to ORM Filter Injection
InvenTree is an Open Source Inventory Management System. Prior to version 1.2.6, certain API endpoints associated with bulk data operations can be hijacked to exfiltrate sensitive information from the database. The bulk operation API endpoints e.g. /api/part/, /api/stock/,...
CVE-2026-33530 InvenTree Vulnerable to ORM Filter Injection
InvenTree is an Open Source Inventory Management System. Prior to version 1.2.6, certain API endpoints associated with bulk data operations can be hijacked to exfiltrate sensitive information from the database. The bulk operation API endpoints e.g. /api/part/, /api/stock/,...
EUVD-2026-16359
InvenTree is an Open Source Inventory Management System. Prior to version 1.2.6, certain API endpoints associated with bulk data operations can be hijacked to exfiltrate sensitive information from the database. The bulk operation API endpoints e.g. /api/part/, /api/stock/,...
CVE-2026-33530
The CVE affects InvenTree prior to version 1.2.6, where bulk data API endpoints (e.g., /api/part/, /api/stock/, /api/order/so/allocation/, etc.) accept a filters parameter that is passed directly to Django queryset.filter(**filters) without any field allowlisting. This allows an authenticated use...
InvenTree 安全漏洞
InvenTree is an open-source inventory management system developed by InvenTree. It provides robust low-level inventory control and parts tracking capabilities. Versions of InvenTree prior to 1.2.6 contained security vulnerabilities. These vulnerabilities stemmed from the batch operation API...
PT-2026-28488
Name of the Vulnerable Software and Affected Versions InvenTree versions prior to 1.2.6 InvenTree versions 1.2.6 through 1.3.0 Description InvenTree is an Open Source Inventory Management System. Certain API endpoints associated with bulk data operations can be exploited to exfiltrate sensitive...
InvenTree SQL注入漏洞
InvenTree is an open-source inventory management system developed by InvenTree. It provides powerful low-level inventory control and parts tracking capabilities. Versions of InvenTree prior to 1.2.6 contained a SQL injection vulnerability. This vulnerability stemmed from the report template...
PT-2026-28489
Name of the Vulnerable Software and Affected Versions InvenTree versions prior to 1.2.6 InvenTree versions 1.2.6 through 1.3.0 Description InvenTree is an Open Source Inventory Management System. A path traversal issue exists in the report template engine, allowing a staff-level user to read...
CVE-2026-27629
InvenTree is an Open Source Inventory Management System. Prior to version 1.2.3, insecure server-side templates can be hijacked to expose secure information to the client. When generating custom batch codes, the InvenTree server makes use of a customizable jinja2 template, which can be modified b...
CVE-2026-27629
InvenTree is an Open Source Inventory Management System. Prior to version 1.2.3, insecure server-side templates can be hijacked to expose secure information to the client. When generating custom batch codes, the InvenTree server makes use of a customizable jinja2 template, which can be modified b...
CVE-2026-27629
InvenTree is an Open Source Inventory Management System. Prior to version 1.2.3, insecure server-side templates can be hijacked to expose secure information to the client. When generating custom batch codes, the InvenTree server makes use of a customizable jinja2 template, which can be modified b...
CVE-2026-27629 InvenTree Vulnerable to Server Side Template Injection (SSTI)
InvenTree is an Open Source Inventory Management System. Prior to version 1.2.3, insecure server-side templates can be hijacked to expose secure information to the client. When generating custom batch codes, the InvenTree server makes use of a customizable jinja2 template, which can be modified b...
EUVD-2026-8602
InvenTree is an Open Source Inventory Management System. Prior to version 1.2.3, insecure server-side templates can be hijacked to expose secure information to the client. When generating custom batch codes, the InvenTree server makes use of a customizable jinja2 template, which can be modified b...
CVE-2026-27629 InvenTree Vulnerable to Server Side Template Injection (SSTI)
InvenTree is an Open Source Inventory Management System. Prior to version 1.2.3, insecure server-side templates can be hijacked to expose secure information to the client. When generating custom batch codes, the InvenTree server makes use of a customizable jinja2 template, which can be modified b...
CVE-2026-27629
InvenTree prior to v1.2.3 is affected by a server-side template vulnerability in batch code generation. A staff user can modify the customizable Jinja2 template used during batch code creation via the API; if another user triggers the API call, the template executes in their user context, potenti...
CVE-2026-27629 InvenTree Vulnerable to Server Side Template Injection (SSTI)
InvenTree is an Open Source Inventory Management System. Prior to version 1.2.3, insecure server-side templates can be hijacked to expose secure information to the client. When generating custom batch codes, the InvenTree server makes use of a customizable jinja2 template, which can be modified b...
InvenTree 安全漏洞
InvenTree is an open-source inventory management system developed by InvenTree. It provides robust low-level inventory control and parts tracking capabilities. Versions of InvenTree prior to 1.2.3 contained security vulnerabilities, which were caused by insecure server-side templates. These...
PT-2026-21846
Name of the Vulnerable Software and Affected Versions InvenTree versions prior to 1.2.3 Description InvenTree is an Open Source Inventory Management System. Prior to version 1.2.3, insecure server-side templates can be hijacked to expose secure information to the client. When generating custom...
EUVD-2022-6042
Malicious code in bioql PyPI...