CVE-2026-35477— InvenTree has SSTI in PART_NAME_FORMAT bypasses CVE-2026-27629 fix via {% if part.pk %} sandbox escape
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-35477
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
InvenTree has SSTI in PART_NAME_FORMAT bypasses CVE-2026-27629 fix via {% if part.pk %} sandbox escape
Source: NVD (National Vulnerability Database)
Vulnerability Description
InvenTree is an Open Source Inventory Management System. From 1.2.3 to 1.2.6, the fix for CVE-2026-27629 upgraded the PART_NAME_FORMAT validator to use jinja2.sandbox.SandboxedEnvironment. However, the actual renderer in part/helpers.py was not updated and still uses the non-sandboxed jinja2.Environment. Additionally, the validator uses a dummy Part instance with pk=None, which allows conditional template expressions to behave differently during validation versus production rendering. A staff user with settings access can craft a template that passes validation but executes arbitrary code during rendering. This issue requires access by a user with granted staff permissions. This vulnerability is fixed in 1.2.7 and 1.3.0.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
CWE-1336
Source: NVD (National Vulnerability Database)
Vulnerability Title
InvenTree 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
InvenTree是InvenTree开源的一个开源库存管理系统。提供强大的低级库存控制和零件跟踪。 InvenTree 1.2.3至1.2.6版本存在安全漏洞,该漏洞源于验证器与实际渲染器环境不匹配,且使用虚拟实例进行验证,可能导致具有员工权限的用户在渲染时执行任意代码。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-35477
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-35477
请登录查看更多情报信息。
Same Patch Batch · inventree · 2026-04-08 · 5 CVEs total
| CVE-2026-35478 | 8.3 HIGH | InvenTree has Arbitrary API Token Creation |
| CVE-2026-35476 | 7.2 HIGH | InvenTree Affected by Privilege Escalation via API |
| CVE-2026-35479 | 6.6 MEDIUM | InvenTree Plugin Installation - Insufficient Permissions |
| CVE-2026-39362 | InvenTree has SSRF via Remote Image Download — No IP/Hostname Validation on remote_image U |
IV. Related Vulnerabilities
Same product: InvenTree
- CVE-2026-39362
InvenTree has SSRF via Remote Image Download — No IP/Hostnam - CVE-2026-35479
InvenTree Plugin Installation - Insufficient Permissions - CVE-2026-35476
InvenTree Affected by Privilege Escalation via API - CVE-2026-35478
InvenTree has Arbitrary API Token Creation - CVE-2026-33531
InvenTree has Path Traversal In Report Templates
Same vendor: inventree
- CVE-2026-39362
InvenTree has SSRF via Remote Image Download — No IP/Hostnam - CVE-2026-35479
InvenTree Plugin Installation - Insufficient Permissions - CVE-2026-35476
InvenTree Affected by Privilege Escalation via API - CVE-2026-35478
InvenTree has Arbitrary API Token Creation - CVE-2026-33531
InvenTree has Path Traversal In Report Templates
Same weakness: CWE-1336
- CVE-2026-44129
Server-side template injection - CVE-2026-44916
OpenStack Ironic 安全漏洞 - CVE-2026-42203
LiteLLM: Server-Side Template Injection in /prompts/test end - CVE-2026-6984
AstrBotDevs AstrBot Dashboard API t2i.py create_template spe - CVE-2026-34587
Kirby has Server-Side Template Injection (SSTI) via double t
V. Comments for CVE-2026-35477
No comments yet