What is CVE-2026-33531?

CVE-2026-33531 is a vulnerability in Inventree, classified under SQL Injection. Published 2026-03-26.

Is CVE-2026-33531 known to be exploited?

1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

SQL Injection in Inventree

CVE-2026-33531

InvenTree is an Open Source Inventory Management System. Prior to version 1.2.6, a path traversal vulnerability in the report template engine allows a staff-level user to read arbitrary files from the server filesystem via crafted template…

Vulnerability class: SQL Injection

EPSS: 0.000 (4.4th percentile) — read the EPSS interpretation.

Affected products

Inventree — versions < 1.2.6

Weakness classification (CWE)

CWE-89 — SQL Injection

Public proof-of-concept exploits

alonaki/InvenTree-Path-Traversal-CVE-2026-33531

References

https://github.com/inventree/InvenTree/security/advisories/GHSA-rhc5-7c3r-c769 (x_refsource_CONFIRM)
https://github.com/inventree/InvenTree/pull/11579 (x_refsource_MISC)

Frequently asked questions

What is CVE-2026-33531?: CVE-2026-33531 is a vulnerability in Inventree, classified under SQL Injection. Published 2026-03-26.
Is CVE-2026-33531 known to be exploited?: 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.