Inventree_project Inventree
15 CVEs affecting Inventree_project Inventree. Latest disclosed: 2026-04-08. Critical: 0, High: 7.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2022-2112 | High | 8.8 | 2022-06-17 | Improper Neutralization of Formula Elements in a CSV File in GitHub repository inventree/inventree prior to 0.7.2. |
CVE-2022-2111 | High | 8.8 | 2022-06-17 | Unrestricted Upload of File with Dangerous Type in GitHub repository inventree/inventree prior to 0.7.2. |
CVE-2026-35478 | High | 8.3 | 2026-04-08 | InvenTree is an Open Source Inventory Management System. From 0.16.0 to before 1.2.7, any authenticated InvenTree user can create a valid API token attributed… |
CVE-2026-33530 | High | 7.7 | 2026-03-26 | InvenTree is an Open Source Inventory Management System. Prior to version 1.2.6, certain API endpoints associated with bulk data operations can be hijacked to… |
CVE-2024-47610 | High | 7.3 | 2024-10-07 | InvenTree is an Open Source Inventory Management System. In affected versions of InvenTree it is possible for a registered user to store javascript in markdown… |
CVE-2026-35476 | High | 7.2 | 2026-04-08 | InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, a non-staff authenticated user can elevate their account to a staff level vi… |
CVE-2026-39362 | High | 7.1 | 2026-04-08 | InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, when INVENTREE_DOWNLOAD_FROM_URL is enabled (opt-in), authenticated users ca… |
CVE-2026-35479 | Medium | 6.6 | 2026-04-08 | InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, any users who have staff access permissions can install plugins via the API… |
CVE-2026-33531 | Medium | 6.5 | 2026-03-26 | InvenTree is an Open Source Inventory Management System. Prior to version 1.2.6, a path traversal vulnerability in the report template engine allows a staff-le… |
CVE-2022-2134 | Medium | 6.5 | 2022-06-20 | Allocation of Resources Without Limits or Throttling in GitHub repository inventree/inventree prior to 0.8.0. |
CVE-2026-27629 | Medium | 5.9 | 2026-02-25 | InvenTree is an Open Source Inventory Management System. Prior to version 1.2.3, insecure server-side templates can be hijacked to expose secure information to… |
CVE-2026-35477 | Medium | 5.5 | 2026-04-08 | InvenTree is an Open Source Inventory Management System. From 1.2.3 to 1.2.6, the fix for CVE-2026-27629 upgraded the PART_NAME_FORMAT validator to use jinja2… |
CVE-2022-3355 | Medium | 5.4 | 2022-09-29 | Cross-site Scripting (XSS) - Stored in GitHub repository inventree/inventree prior to 0.8.3. |
CVE-2022-2113 | Medium | 5.4 | 2022-06-17 | Cross-site Scripting (XSS) - Stored in GitHub repository inventree/inventree prior to 0.7.2. |
CVE-2025-49000 | Low | 3.5 | 2025-06-03 | InvenTree is an Open Source Inventory Management System. Prior to version 0.17.13, the skip field in the built-in `label-sheet` plugin lacks an upper bound, so… |