{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33531", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-20T18:05:11.830Z", "datePublished": "2026-03-26T19:40:50.787Z", "dateUpdated": "2026-03-27T19:47:03.887Z"}, "containers": {"cna": {"title": "InvenTree has Path Traversal In Report Templates", "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "lang": "en", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 4.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U", "version": "4.0"}}], "references": [{"name": "https://github.com/inventree/InvenTree/security/advisories/GHSA-rhc5-7c3r-c769", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/inventree/InvenTree/security/advisories/GHSA-rhc5-7c3r-c769"}, {"name": "https://github.com/inventree/InvenTree/pull/11579", "tags": ["x_refsource_MISC"], "url": "https://github.com/inventree/InvenTree/pull/11579"}], "affected": [{"vendor": "inventree", "product": "InvenTree", "versions": [{"version": "< 1.2.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T19:40:50.787Z"}, "descriptions": [{"lang": "en", "value": "InvenTree is an Open Source Inventory Management System. Prior to version 1.2.6, a path traversal vulnerability in the report template engine allows a staff-level user to read arbitrary files from the server filesystem via crafted template tags. Affected functions: `encode_svg_image()`, `asset()`, and `uploaded_image()` in `src/backend/InvenTree/report/templatetags/report.py`. This requires staff access (to upload / edit templates with maliciously crafted tags). If the InvenTree installation is configured with high access privileges on the host system, this path traversal may allow file access outside of the InvenTree source directory. This issue is patched in version 1.2.6, and 1.3.0 (or above). Users should update to the patched versions. No known workarounds are available."}], "source": {"advisory": "GHSA-rhc5-7c3r-c769", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-27T19:46:51.984002Z", "id": "CVE-2026-33531", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T19:47:03.887Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33531", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-27T19:46:51.984002Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T19:47:00.450Z"}}], "cna": {"title": "InvenTree has Path Traversal In Report Templates", "source": {"advisory": "GHSA-rhc5-7c3r-c769", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 4.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "inventree", "product": "InvenTree", "versions": [{"status": "affected", "version": "< 1.2.6"}]}], "references": [{"url": "https://github.com/inventree/InvenTree/security/advisories/GHSA-rhc5-7c3r-c769", "name": "https://github.com/inventree/InvenTree/security/advisories/GHSA-rhc5-7c3r-c769", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/inventree/InvenTree/pull/11579", "name": "https://github.com/inventree/InvenTree/pull/11579", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "InvenTree is an Open Source Inventory Management System. Prior to version 1.2.6, a path traversal vulnerability in the report template engine allows a staff-level user to read arbitrary files from the server filesystem via crafted template tags. Affected functions: `encode_svg_image()`, `asset()`, and `uploaded_image()` in `src/backend/InvenTree/report/templatetags/report.py`. This requires staff access (to upload / edit templates with maliciously crafted tags). If the InvenTree installation is configured with high access privileges on the host system, this path traversal may allow file access outside of the InvenTree source directory. This issue is patched in version 1.2.6, and 1.3.0 (or above). Users should update to the patched versions. No known workarounds are available."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T19:40:50.787Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33531", "state": "PUBLISHED", "dateUpdated": "2026-03-27T19:47:03.887Z", "dateReserved": "2026-03-20T18:05:11.830Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-26T19:40:50.787Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:inventree_project:inventree:*:*:*:*:*:*:*:*", "matchCriteriaId": "E308BCC2-3004-4830-92B8-4462819ECD0D", "versionEndExcluding": "1.2.6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "InvenTree is an Open Source Inventory Management System. Prior to version 1.2.6, a path traversal vulnerability in the report template engine allows a staff-level user to read arbitrary files from the server filesystem via crafted template tags. Affected functions: `encode_svg_image()`, `asset()`, and `uploaded_image()` in `src/backend/InvenTree/report/templatetags/report.py`. This requires staff access (to upload / edit templates with maliciously crafted tags). If the InvenTree installation is configured with high access privileges on the host system, this path traversal may allow file access outside of the InvenTree source directory. This issue is patched in version 1.2.6, and 1.3.0 (or above). Users should update to the patched versions. No known workarounds are available."}, {"lang": "es", "value": "InvenTree es un Sistema de Gesti\u00f3n de Inventario de C\u00f3digo Abierto. Antes de la versi\u00f3n 1.2.6, una vulnerabilidad de salto de ruta en el motor de plantillas de informes permite a un usuario con nivel de personal leer archivos arbitrarios del sistema de archivos del servidor mediante etiquetas de plantilla manipuladas. Funciones afectadas: `encode_svg_image()`, `asset()` y `uploaded_image()` en `src/backend/InvenTree/report/templatetags/report.py`. Esto requiere acceso de personal (para cargar / editar plantillas con etiquetas creadas maliciosamente). Si la instalaci\u00f3n de InvenTree est\u00e1 configurada con altos privilegios de acceso en el sistema anfitri\u00f3n, este salto de ruta puede permitir el acceso a archivos fuera del directorio fuente de InvenTree. Este problema est\u00e1 parcheado en la versi\u00f3n 1.2.6, y 1.3.0 (o superior). Los usuarios deben actualizar a las versiones parcheadas. No se conocen soluciones alternativas disponibles."}], "id": "CVE-2026-33531", "lastModified": "2026-04-01T18:50:41.000", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "UNREPORTED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-26T20:16:15.400", "references": [{"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/inventree/InvenTree/pull/11579"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/inventree/InvenTree/security/advisories/GHSA-rhc5-7c3r-c769"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.2.6)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "InvenTree", "source": "cna", "vendor": "inventree"}, "product": "inventree", "vendor": "inventree"}], "analysis": {"en": {"generated_at": "2026-04-02T04:16:57.852756+00:00", "value": {"mitigation_remediation": ["Update InvenTree to version 1.2.6 or any later release such as 1.3.0 that contains the fix.", "If an upgrade is not immediately possible, restrict staff members to the minimum necessary permissions for template editing, and consider removing the ability to upload custom templates for non\u2011trusted users.", "Run the InvenTree service under a low\u2011privilege system account to limit the scope of any potential file disclosure.", "Monitor server logs for anomalous file access patterns that may indicate exploitation attempts."], "summary": {"action": "Patch immediately", "impact": "File disclosure via path traversal"}, "threat_synthesis": {"affected_systems": "The flaw exists in all versions of InvenTree before 1.2.6, including installations that backported this issue. The patch is available starting with release 1.2.6 and is also present in 1.3.0 and later. Users running any pre\u20111.2.6 version, or operating an older 1.2.x release, are vulnerable. No other vendors or products are affected.", "description_and_impact": "A path traversal flaw in InvenTree\u2019s report template engine permits a user with staff privileges to read arbitrary files from the server\u2019s filesystem by embedding crafted template tags. The vulnerability affects the functions encode_svg_image(), asset(), and uploaded_image() in the report tags module. If the host system grants high privileges to the InvenTree process, an attacker can access files outside the application\u2019s source directory, potentially exposing sensitive data. The primary consequence is unauthorized disclosure of information, rather than code execution or denial of service.", "risk_and_exploitability": "The CVSS score is 4.9, indicating low severity, and the EPSS score is below 1\u202f%, suggesting a very low probability of exploitation. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Exploitation requires staff\u2011level access to upload or edit report templates, so an attacker must already have legitimate credentials or compromise a staff user. If high system privileges are in use, the risk of accessing critical files increases, but the overall likelihood of a successful attack remains modest."}}}}, "created": "2026-03-27T08:32:27.399801+00:00", "updated": "2026-04-02T07:56:33.509810+00:00", "vendors": ["inventree", "inventree$PRODUCT$inventree"]}