EUVD-2026-20590

InvenTree is an Open Source Inventory Management System. From 0.16.0 to before 1.2.7, any authenticated InvenTree user can create a valid API token attributed to any other user in the system — including administrators and superusers — by supplying the target's user ID in the user field of a POST...

CVE-2025-46743 Cross-Site Request Forgery

An authenticated user's token could be used by another source after the user had logged out prior to the token expiring...