Description
InvenTree is an Open Source Inventory Management System. Prior to version 1.2.3, insecure server-side templates can be hijacked to expose secure information to the client. When generating custom batch codes, the InvenTree server makes use of a customizable jinja2 template, which can be modified by a staff user to exfiltrate sensitive information or perform code execution on the server. This issue requires access by a user with granted staff permissions, followed by a request to generate a custom batch code via the API. Once the template has been modified in a malicious manner, the API call to generate a new batch code could be made by other users, and the template code will be executed with their user context. The code has been patched to ensure that all template generation is performed within a secure sandboxed context. This issue has been addressed in version 1.2.3, and any versions from 1.3.0 onwards. Some workarounds are available. The batch code template is a configurable global setting which can be adjusted via any user with staff access. To prevent this setting from being edited, it can be overridden at a system level to a default value, preventing it from being edited. This requires system administrator access, and cannot be changed from the client side once the server is running. It is recommended that for InvenTree installations prior to 1.2.3 the `STOCK_BATCH_CODE_TEMPLATE` and `PART_NAME_FORMAT` global settings are overridden at the system level to prevent editing.
Published: 2026-02-25
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Server Side Template Injection allowing code execution or data exfiltration
Action: Immediate Patch
AI Analysis

Impact

The vulnerability occurs in the custom batch code generation feature of InvenTree, where staff users can modify an embedded Jinja2 template. Through this misuse, a malicious template can access server‑side secrets or execute arbitrary code when the template is rendered via an API call by any user. The attack does not require network‑level access beyond normal API usage; it exploits a logical flaw in user privilege handling and template evaluation.

Affected Systems

InvenTree, an open‑source inventory management system, is affected in releases prior to 1.2.3. All other versions after 1.2.3 (including 1.3.0 and later) contain the fix. No specific operating system or platform constraints are listed.

Risk and Exploitability

The CVSS score of 5.9 indicates a medium severity vulnerability. The EPSS score of less than 1 percent reflects a very low current exploitation probability, and the issue is not listed in CISA’s KEV catalogue. The likely attack vector is via a local or remote API request to the batch generation endpoint that requires the attacker to have initially staff‑level credentials to alter the template. Attack feasibility requires staff‑level permissions to modify the template, after which any user can trigger the harmful code via the batch‑generation API. Once the template has been corrupted, the malicious code is executed with the context of the calling user, potentially compromising confidentiality, integrity, or availability of server resources depending on the injected operations.

Generated by OpenCVE AI on April 18, 2026 at 10:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade InvenTree to version 1.2.3 or any later release that includes the sandboxed template execution fix.
  • If an immediate upgrade is not possible, configure the system‑level override for the global settings STOCK_BATCH_CODE_TEMPLATE and PART_NAME_FORMAT to a safe default, preventing staff users from editing the template.
  • Restrict staff access privileges to the minimum necessary, ensuring that only trusted users can modify global settings and trigger batch‑code generation.

Generated by OpenCVE AI on April 18, 2026 at 10:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Inventree Project
Inventree Project inventree
CPEs cpe:2.3:a:inventree_project:inventree:*:*:*:*:*:*:*:*
Vendors & Products Inventree Project
Inventree Project inventree

Thu, 26 Feb 2026 23:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Feb 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Inventree
Inventree inventree
Vendors & Products Inventree
Inventree inventree

Wed, 25 Feb 2026 03:15:00 +0000

Type Values Removed Values Added
Description InvenTree is an Open Source Inventory Management System. Prior to version 1.2.3, insecure server-side templates can be hijacked to expose secure information to the client. When generating custom batch codes, the InvenTree server makes use of a customizable jinja2 template, which can be modified by a staff user to exfiltrate sensitive information or perform code execution on the server. This issue requires access by a user with granted staff permissions, followed by a request to generate a custom batch code via the API. Once the template has been modified in a malicious manner, the API call to generate a new batch code could be made by other users, and the template code will be executed with their user context. The code has been patched to ensure that all template generation is performed within a secure sandboxed context. This issue has been addressed in version 1.2.3, and any versions from 1.3.0 onwards. Some workarounds are available. The batch code template is a configurable global setting which can be adjusted via any user with staff access. To prevent this setting from being edited, it can be overridden at a system level to a default value, preventing it from being edited. This requires system administrator access, and cannot be changed from the client side once the server is running. It is recommended that for InvenTree installations prior to 1.2.3 the `STOCK_BATCH_CODE_TEMPLATE` and `PART_NAME_FORMAT` global settings are overridden at the system level to prevent editing.
Title InvenTree Vulnerable to Server Side Template Injection (SSTI)
Weaknesses CWE-1336
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Inventree Inventree
Inventree Project Inventree
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-26T21:33:40.971Z

Reserved: 2026-02-20T22:02:30.028Z

Link: CVE-2026-27629

cve-icon Vulnrichment

Updated: 2026-02-26T21:06:59.891Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-25T03:16:06.680

Modified: 2026-02-27T20:00:51.417

Link: CVE-2026-27629

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T11:00:05Z

Weaknesses