Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

inventree — Vulnerabilities & Security Advisories 15

Browse all 15 CVE security advisories affecting inventree. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Inventree serves as an open-source inventory management system designed for tracking parts, assemblies, and stock levels. Historically, the platform has been susceptible to multiple remote code execution vulnerabilities, cross-site scripting attacks, and privilege escalation flaws, with 15 CVEs documented to date. Notable security characteristics include its Python/Django architecture and reliance on third-party libraries. While no major public security incidents have been widely reported, the consistent discovery of RCE vulnerabilities in earlier versions highlights potential risks for organizations deploying the system without applying security patches.

Top products by inventree: InvenTree inventree/inventree
CVE IDTitleCVSSSeverityPublished
CVE-2026-39362 InvenTree has SSRF via Remote Image Download — No IP/Hostname Validation on remote_image URLs — InvenTreeCWE-918 7.1AIHighAI2026-04-08
CVE-2026-35479 InvenTree Plugin Installation - Insufficient Permissions — InvenTreeCWE-285 6.6 Medium2026-04-08
CVE-2026-35476 InvenTree Affected by Privilege Escalation via API — InvenTreeCWE-285 7.2 High2026-04-08
CVE-2026-35478 InvenTree has Arbitrary API Token Creation — InvenTreeCWE-639 8.3 High2026-04-08
CVE-2026-35477 InvenTree has SSTI in PART_NAME_FORMAT bypasses CVE-2026-27629 fix via {% if part.pk %} sandbox escape — InvenTreeCWE-1336 5.5 Medium2026-04-08
CVE-2026-33531 InvenTree has Path Traversal In Report Templates — InvenTreeCWE-89 4.9 -2026-03-26
CVE-2026-33530 InvenTree Vulnerable to ORM Filter Injection — InvenTreeCWE-202 7.7 High2026-03-26
CVE-2026-27629 InvenTree Vulnerable to Server Side Template Injection (SSTI) — InvenTreeCWE-1336 5.9 Medium2026-02-25
CVE-2025-49000 InvenTree has uncontrolled memory allocation via built-in label-sheet plugin — InvenTreeCWE-400 3.5 Low2025-06-03
CVE-2024-47610 Stored Cross-site Scripting Vulnerability in Markdown Editor — InvenTreeCWE-79 7.3 High2024-10-07
CVE-2022-3355 Cross-site Scripting (XSS) - Stored in inventree/inventree — inventree/inventreeCWE-79 5.4 -2022-09-29
CVE-2022-2134 Allocation of Resources Without Limits or Throttling in inventree/inventree — inventree/inventreeCWE-770 7.5 -2022-06-20
CVE-2022-2113 Cross-site Scripting (XSS) - Stored in inventree/inventree — inventree/inventreeCWE-79 5.4 -2022-06-17
CVE-2022-2112 Improper Neutralization of Formula Elements in a CSV File in inventree/inventree — inventree/inventreeCWE-1236 8.8 -2022-06-17
CVE-2022-2111 Unrestricted Upload of File with Dangerous Type in inventree/inventree — inventree/inventreeCWE-434 8.8 -2022-06-17

This page lists every published CVE security advisory associated with inventree. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.