Inventree Project: >> Inventree Security Vulnerabilities
InvenTree is an Open Source Inventory Management System. Prior to version 1.2.3, insecure server-side templates can be hijacked to expose secure information to the client. When generating custom batch codes, the InvenTree server makes use of a customizable jinja2 template, which can be modified by a staff user to exfiltrate sensitive information or perform code execution on the server. This issue requires access by a user with granted staff permissions, followed by a request to generate a custom batch code via the API. Once the template has been modified in a malicious manner, the API call to generate a new batch code could be made by other users, and the template code will be executed with their user context. The code has been patched to ensure that all template generation is performed within a secure sandboxed context. This issue has been addressed in version 1.2.3, and any versions from 1.3.0 onwards. Some workarounds are available. The batch code template is a configurable global setting which can be adjusted via any user with staff access. To prevent this setting from being edited, it can be overridden at a system level to a default value, preventing it from being edited. This requires system administrator access, and cannot be changed from the client side once the server is running. It is recommended that for InvenTree installations prior to 1.2.3 the `STOCK_BATCH_CODE_TEMPLATE` and `PART_NAME_FORMAT` global settings are overridden at the system level to prevent editing.
CVSS Score
5.9
EPSS Score
0.001
Published
2026-02-25
InvenTree is an Open Source Inventory Management System. Prior to version 0.17.13, the skip field in the built-in `label-sheet` plugin lacks an upper bound, so a large value forces the server to allocate an enormous Python list. This lets any authenticated label-printing user trigger a denial-of-service via memory exhaustion. the issue is fixed in versions 0.17.13 and higher. No workaround is available aside from upgrading to the patched version.
CVSS Score
3.5
EPSS Score
0.001
Published
2025-06-03
InvenTree is an Open Source Inventory Management System. In affected versions of InvenTree it is possible for a registered user to store javascript in markdown notes fields, which are then displayed to other logged in users who visit the same page and executed. The vulnerability has been addressed as follows: 1. HTML sanitization has been enabled in the front-end markdown rendering library - `easymde`. 2. Stored markdown is also validated on the backend, to ensure that malicious markdown is not stored in the database. These changes are available in release versions 0.16.5 and later. All users are advised to upgrade. There are no workarounds, an update is required to get the new validation functions.
CVSS Score
7.3
EPSS Score
0.006
Published
2024-10-07
Cross-site Scripting (XSS) - Stored in GitHub repository inventree/inventree prior to 0.8.3.
CVSS Score
8.2
EPSS Score
0.001
Published
2022-09-29
Allocation of Resources Without Limits or Throttling in GitHub repository inventree/inventree prior to 0.8.0.
CVSS Score
7.1
EPSS Score
0.003
Published
2022-06-20
Unrestricted Upload of File with Dangerous Type in GitHub repository inventree/inventree prior to 0.7.2.
CVSS Score
9.0
EPSS Score
0.004
Published
2022-06-17
Improper Neutralization of Formula Elements in a CSV File in GitHub repository inventree/inventree prior to 0.7.2.
CVSS Score
9.0
EPSS Score
0.004
Published
2022-06-17
Cross-site Scripting (XSS) - Stored in GitHub repository inventree/inventree prior to 0.7.2.
CVSS Score
8.4
EPSS Score
0.004
Published
2022-06-17