SSRF in Inventree
CVE-2026-39362
InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, when INVENTREE_DOWNLOAD_FROM_URL is enabled (opt-in), authenticated users can supply remote_image URLs that are fetched server-side via requests.get() with…
Vulnerability class: SSRF (Server-Side Request Forgery)
EPSS: 0.000 (1.4th percentile) — read the EPSS interpretation.
Affected products
- Inventree — versions < 1.2.7
Weakness classification (CWE)
References
- https://github.com/inventree/InvenTree/security/advisories/GHSA-m9j7-jw3m-fr22 (x_refsource_CONFIRM)