216.73.216.233

CVE-2026-33531

· Published 26/03/2026 20:16 · Modified 26/03/2026 20:16

Labels: CVE-2026-33531 2026-03-26CVE-2026-33531CWE-89[email protected]

Essential information

Published
26/03/2026 20:16
Modified
26/03/2026 20:16
Author
Creator
CVSS
4.9 MEDIUM (v3) 4.9 MEDIUM (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

InvenTree is an Open Source Inventory Management System. Prior to version 1.2.6, a path traversal vulnerability in the report template engine allows a staff-level user to read arbitrary files from the server filesystem via crafted template tags. Affected functions: `encode_svg_image()`, `asset()`, and `uploaded_image()` in `src/backend/InvenTree/report/templatetags/report.py`. This requires staff access (to upload / edit templates with maliciously crafted tags). If the InvenTree installation is configured with high access privileges on the host system, this path traversal may allow file access outside of the InvenTree source directory. This issue is patched in version 1.2.6, and 1.3.0 (or above). Users should update to the patched versions. No known workarounds are available.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
inventree / inventree cpe:2.3:a:inventree:inventree:<1.2.6:*:*:*:*:*:*:*

References