{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34366", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-27T13:43:14.369Z", "datePublished": "2026-03-31T20:05:57.318Z", "dateUpdated": "2026-04-01T18:42:09.630Z"}, "containers": {"cna": {"title": "InvoiceShelf: SSRF in Payment Receipt PDF Rendering via Unsanitised HTML in Notes Field", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/InvoiceShelf/InvoiceShelf/security/advisories/GHSA-38hf-fq8x-q49r", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/InvoiceShelf/InvoiceShelf/security/advisories/GHSA-38hf-fq8x-q49r"}, {"name": "https://github.com/InvoiceShelf/InvoiceShelf/releases/tag/2.2.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/InvoiceShelf/InvoiceShelf/releases/tag/2.2.0"}], "affected": [{"vendor": "InvoiceShelf", "product": "InvoiceShelf", "versions": [{"version": "< 2.2.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-31T20:05:57.318Z"}, "descriptions": [{"lang": "en", "value": "InvoiceShelf is an open-source web & mobile app that helps track expenses, payments and create professional invoices and estimates. Prior to version 2.2.0, a Server-Side Request Forgery (SSRF) vulnerability exists in the Payment receipt PDF generation module. User-supplied HTML in the payment Notes field is passed unsanitised to the Dompdf rendering library, which will fetch any remote resources referenced in the markup. The vulnerability is exploitable directly via the PDF receipt endpoint, regardless of whether automated email attachments are enabled. This issue has been patched in version 2.2.0."}], "source": {"advisory": "GHSA-38hf-fq8x-q49r", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-01T18:41:57.210814Z", "id": "CVE-2026-34366", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T18:42:09.630Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34366", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-01T18:41:57.210814Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T18:42:05.861Z"}}], "cna": {"title": "InvoiceShelf: SSRF in Payment Receipt PDF Rendering via Unsanitised HTML in Notes Field", "source": {"advisory": "GHSA-38hf-fq8x-q49r", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "InvoiceShelf", "product": "InvoiceShelf", "versions": [{"status": "affected", "version": "< 2.2.0"}]}], "references": [{"url": "https://github.com/InvoiceShelf/InvoiceShelf/security/advisories/GHSA-38hf-fq8x-q49r", "name": "https://github.com/InvoiceShelf/InvoiceShelf/security/advisories/GHSA-38hf-fq8x-q49r", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/InvoiceShelf/InvoiceShelf/releases/tag/2.2.0", "name": "https://github.com/InvoiceShelf/InvoiceShelf/releases/tag/2.2.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "InvoiceShelf is an open-source web & mobile app that helps track expenses, payments and create professional invoices and estimates. Prior to version 2.2.0, a Server-Side Request Forgery (SSRF) vulnerability exists in the Payment receipt PDF generation module. User-supplied HTML in the payment Notes field is passed unsanitised to the Dompdf rendering library, which will fetch any remote resources referenced in the markup. The vulnerability is exploitable directly via the PDF receipt endpoint, regardless of whether automated email attachments are enabled. This issue has been patched in version 2.2.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-31T20:05:57.318Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34366", "state": "PUBLISHED", "dateUpdated": "2026-04-01T18:42:09.630Z", "dateReserved": "2026-03-27T13:43:14.369Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-31T20:05:57.318Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:invoiceshelf:invoiceshelf:*:*:*:*:*:*:*:*", "matchCriteriaId": "DF850775-DE65-40B0-9079-B1ABA4F1F4C9", "versionEndExcluding": "2.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "InvoiceShelf is an open-source web & mobile app that helps track expenses, payments and create professional invoices and estimates. Prior to version 2.2.0, a Server-Side Request Forgery (SSRF) vulnerability exists in the Payment receipt PDF generation module. User-supplied HTML in the payment Notes field is passed unsanitised to the Dompdf rendering library, which will fetch any remote resources referenced in the markup. The vulnerability is exploitable directly via the PDF receipt endpoint, regardless of whether automated email attachments are enabled. This issue has been patched in version 2.2.0."}], "id": "CVE-2026-34366", "lastModified": "2026-04-07T15:26:23.597", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 4.7, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-31T21:16:29.537", "references": [{"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://github.com/InvoiceShelf/InvoiceShelf/releases/tag/2.2.0"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/InvoiceShelf/InvoiceShelf/security/advisories/GHSA-38hf-fq8x-q49r"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.2.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "InvoiceShelf", "source": "cna", "vendor": "InvoiceShelf"}, "product": "invoiceshelf", "vendor": "invoiceshelf"}], "analysis": {"en": {"generated_at": "2026-04-07T23:08:33.227457+00:00", "value": {"mitigation_remediation": ["Upgrade InvoiceShelf to version 2.2.0 or later", "If an upgrade cannot be performed immediately, disable the PDF receipt generation feature or restrict access to it until a patch is applied", "Sanitise or remove any user\u2011supplied HTML in the payment Notes field before passing it to the PDF renderer"], "summary": {"action": "Immediate Patch", "impact": "Server\u2011Side Request Forgery (SSRF) via unsanitised HTML in the payment Notes field"}, "threat_synthesis": {"affected_systems": "The issue affects the open\u2011source InvoiceShelf application before version 2.2.0. All installations running any release prior to 2.2.0 are vulnerable. Version 2.2.0, released in the mentioned tag, includes the fix.", "description_and_impact": "A Server\u2011Side Request Forgery vulnerability allows an attacker to trick the PDF rendering library into fetching arbitrary remote resources. The flaw stems from user\u2011supplied HTML in the payment Notes field being passed unchanged to the Dompdf library, which can resolve external URLs and perform requests on behalf of the server. The weakness is identified as CWE\u2011918. This results in the ability to access internal network services, exfiltrate data, or trigger internal actions without authentication to the vulnerable endpoint.", "risk_and_exploitability": "The CVSS score of 7.6 indicates a high impact potential. The EPSS percentage is below 1%, suggesting low current exploitation likelihood, and the vulnerability is not listed in CISA\u2019s KEV catalog. The attack vector is direct; an adversary can submit a malicious Notes field and trigger the PDF receipt endpoint to perform SSRF without needing any additional privileges. No specific user authentication is required to exploit the flaw beyond creating a payment record."}}}}, "created": "2026-04-02T07:53:01.619439+00:00", "updated": "2026-04-08T20:00:06.454907+00:00", "vendors": ["invoiceshelf", "invoiceshelf$PRODUCT$invoiceshelf"]}