Inventree_project Inventree

15 CVEs affecting Inventree_project Inventree. Latest disclosed: 2026-04-08. Critical: 0, High: 7.

Top CVEs affecting Inventree_project Inventree
CVESeverityScorePublishedSummary
CVE-2022-2112High8.82022-06-17Improper Neutralization of Formula Elements in a CSV File in GitHub repository inventree/inventree prior to 0.7.2.
CVE-2022-2111High8.82022-06-17Unrestricted Upload of File with Dangerous Type in GitHub repository inventree/inventree prior to 0.7.2.
CVE-2026-35478High8.32026-04-08InvenTree is an Open Source Inventory Management System. From 0.16.0 to before 1.2.7, any authenticated InvenTree user can create a valid API token attributed…
CVE-2026-33530High7.72026-03-26InvenTree is an Open Source Inventory Management System. Prior to version 1.2.6, certain API endpoints associated with bulk data operations can be hijacked to…
CVE-2024-47610High7.32024-10-07InvenTree is an Open Source Inventory Management System. In affected versions of InvenTree it is possible for a registered user to store javascript in markdown…
CVE-2026-35476High7.22026-04-08InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, a non-staff authenticated user can elevate their account to a staff level vi…
CVE-2026-39362High7.12026-04-08InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, when INVENTREE_DOWNLOAD_FROM_URL is enabled (opt-in), authenticated users ca…
CVE-2026-35479Medium6.62026-04-08InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, any users who have staff access permissions can install plugins via the API…
CVE-2026-33531Medium6.52026-03-26InvenTree is an Open Source Inventory Management System. Prior to version 1.2.6, a path traversal vulnerability in the report template engine allows a staff-le…
CVE-2022-2134Medium6.52022-06-20Allocation of Resources Without Limits or Throttling in GitHub repository inventree/inventree prior to 0.8.0.
CVE-2026-27629Medium5.92026-02-25InvenTree is an Open Source Inventory Management System. Prior to version 1.2.3, insecure server-side templates can be hijacked to expose secure information to…
CVE-2026-35477Medium5.52026-04-08InvenTree is an Open Source Inventory Management System. From 1.2.3 to 1.2.6, the fix for CVE-2026-27629 upgraded the PART_NAME_FORMAT validator to use jinja2…
CVE-2022-3355Medium5.42022-09-29Cross-site Scripting (XSS) - Stored in GitHub repository inventree/inventree prior to 0.8.3.
CVE-2022-2113Medium5.42022-06-17Cross-site Scripting (XSS) - Stored in GitHub repository inventree/inventree prior to 0.7.2.
CVE-2025-49000Low3.52025-06-03InvenTree is an Open Source Inventory Management System. Prior to version 0.17.13, the skip field in the built-in `label-sheet` plugin lacks an upper bound, so…