Description
InvenTree is an Open Source Inventory Management System. Prior to version 1.2.6, a path traversal vulnerability in the report template engine allows a staff-level user to read arbitrary files from the server filesystem via crafted template tags. Affected functions: `encode_svg_image()`, `asset()`, and `uploaded_image()` in `src/backend/InvenTree/report/templatetags/report.py`. This requires staff access (to upload / edit templates with maliciously crafted tags). If the InvenTree installation is configured with high access privileges on the host system, this path traversal may allow file access outside of the InvenTree source directory. This issue is patched in version 1.2.6, and 1.3.0 (or above). Users should update to the patched versions. No known workarounds are available.
Published: 2026-03-26
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: File disclosure via path traversal
Action: Patch immediately
AI Analysis

Impact

A path traversal flaw in InvenTree’s report template engine permits a user with staff privileges to read arbitrary files from the server’s filesystem by embedding crafted template tags. The vulnerability affects the functions encode_svg_image(), asset(), and uploaded_image() in the report tags module. If the host system grants high privileges to the InvenTree process, an attacker can access files outside the application’s source directory, potentially exposing sensitive data. The primary consequence is unauthorized disclosure of information, rather than code execution or denial of service.

Affected Systems

The flaw exists in all versions of InvenTree before 1.2.6, including installations that backported this issue. The patch is available starting with release 1.2.6 and is also present in 1.3.0 and later. Users running any pre‑1.2.6 version, or operating an older 1.2.x release, are vulnerable. No other vendors or products are affected.

Risk and Exploitability

The CVSS score is 4.9, indicating low severity, and the EPSS score is below 1 %, suggesting a very low probability of exploitation. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Exploitation requires staff‑level access to upload or edit report templates, so an attacker must already have legitimate credentials or compromise a staff user. If high system privileges are in use, the risk of accessing critical files increases, but the overall likelihood of a successful attack remains modest.

Generated by OpenCVE AI on April 2, 2026 at 04:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update InvenTree to version 1.2.6 or any later release such as 1.3.0 that contains the fix.
  • If an upgrade is not immediately possible, restrict staff members to the minimum necessary permissions for template editing, and consider removing the ability to upload custom templates for non‑trusted users.
  • Run the InvenTree service under a low‑privilege system account to limit the scope of any potential file disclosure.
  • Monitor server logs for anomalous file access patterns that may indicate exploitation attempts.

Generated by OpenCVE AI on April 2, 2026 at 04:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Inventree Project
Inventree Project inventree
CPEs cpe:2.3:a:inventree_project:inventree:*:*:*:*:*:*:*:*
Vendors & Products Inventree Project
Inventree Project inventree
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Sat, 28 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Inventree
Inventree inventree
Vendors & Products Inventree
Inventree inventree

Thu, 26 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
Description InvenTree is an Open Source Inventory Management System. Prior to version 1.2.6, a path traversal vulnerability in the report template engine allows a staff-level user to read arbitrary files from the server filesystem via crafted template tags. Affected functions: `encode_svg_image()`, `asset()`, and `uploaded_image()` in `src/backend/InvenTree/report/templatetags/report.py`. This requires staff access (to upload / edit templates with maliciously crafted tags). If the InvenTree installation is configured with high access privileges on the host system, this path traversal may allow file access outside of the InvenTree source directory. This issue is patched in version 1.2.6, and 1.3.0 (or above). Users should update to the patched versions. No known workarounds are available.
Title InvenTree has Path Traversal In Report Templates
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 4.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Inventree Inventree
Inventree Project Inventree
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-27T19:47:03.887Z

Reserved: 2026-03-20T18:05:11.830Z

Link: CVE-2026-33531

cve-icon Vulnrichment

Updated: 2026-03-27T19:47:00.450Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-26T20:16:15.400

Modified: 2026-04-01T18:50:41.000

Link: CVE-2026-33531

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T07:56:33Z

Weaknesses