CVE-2026-33531

InvenTree is an Open Source Inventory Management System. Prior to version 1.2.6, a path traversal vulnerability in the report template engine allows a staff-level user to read arbitrary files from the server filesystem via crafted template tags. Affected functions: `encode_svg_image()`, `asset()`, and `uploaded_image()` in `src/backend/InvenTree/report/templatetags/report.py`. This requires staff access (to upload / edit templates with maliciously crafted tags). If the InvenTree installation is configured with high access privileges on the host system, this path traversal may allow file access outside of the InvenTree source directory. This issue is patched in version 1.2.6, and 1.3.0 (or above). Users should update to the patched versions. No known workarounds are available.

CVSS

No CVSS.

References

Link	Resource
https://github.com/inventree/InvenTree/pull/11579
https://github.com/inventree/InvenTree/security/advisories/GHSA-rhc5-7c3r-c769

Configurations

No configuration.

History

No history.

Information

Published : 2026-03-26 20:16

Updated : 2026-03-30 13:26

NVD link : CVE-2026-33531

Mitre link : CVE-2026-33531

CVE.ORG link : CVE-2026-33531

JSON object : View

Products Affected

No product.

CWE

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

{"id": "CVE-2026-33531", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 4.9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "UNREPORTED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-26T20:16:15.400", "references": [{"url": "https://github.com/inventree/InvenTree/pull/11579", "source": "security-advisories@github.com"}, {"url": "https://github.com/inventree/InvenTree/security/advisories/GHSA-rhc5-7c3r-c769", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-89"}]}], "descriptions": [{"lang": "en", "value": "InvenTree is an Open Source Inventory Management System. Prior to version 1.2.6, a path traversal vulnerability in the report template engine allows a staff-level user to read arbitrary files from the server filesystem via crafted template tags. Affected functions: `encode_svg_image()`, `asset()`, and `uploaded_image()` in `src/backend/InvenTree/report/templatetags/report.py`. This requires staff access (to upload / edit templates with maliciously crafted tags). If the InvenTree installation is configured with high access privileges on the host system, this path traversal may allow file access outside of the InvenTree source directory. This issue is patched in version 1.2.6, and 1.3.0 (or above). Users should update to the patched versions. No known workarounds are available."}, {"lang": "es", "value": "InvenTree es un Sistema de Gesti\u00f3n de Inventario de C\u00f3digo Abierto. Antes de la versi\u00f3n 1.2.6, una vulnerabilidad de salto de ruta en el motor de plantillas de informes permite a un usuario con nivel de personal leer archivos arbitrarios del sistema de archivos del servidor mediante etiquetas de plantilla manipuladas. Funciones afectadas: `encode_svg_image()`, `asset()` y `uploaded_image()` en `src/backend/InvenTree/report/templatetags/report.py`. Esto requiere acceso de personal (para cargar / editar plantillas con etiquetas creadas maliciosamente). Si la instalaci\u00f3n de InvenTree est\u00e1 configurada con altos privilegios de acceso en el sistema anfitri\u00f3n, este salto de ruta puede permitir el acceso a archivos fuera del directorio fuente de InvenTree. Este problema est\u00e1 parcheado en la versi\u00f3n 1.2.6, y 1.3.0 (o superior). Los usuarios deben actualizar a las versiones parcheadas. No se conocen soluciones alternativas disponibles."}], "lastModified": "2026-03-30T13:26:50.827", "sourceIdentifier": "security-advisories@github.com"}