Description
InvenTree is an Open Source Inventory Management System. Prior to version 1.2.6, a path traversal vulnerability in the report template engine allows a staff-level user to read arbitrary files from the server filesystem via crafted template tags. Affected functions: `encode_svg_image()`, `asset()`, and `uploaded_image()` in `src/backend/InvenTree/report/templatetags/report.py`. This requires staff access (to upload / edit templates with maliciously crafted tags). If the InvenTree installation is configured with high access privileges on the host system, this path traversal may allow file access outside of the InvenTree source directory. This issue is patched in version 1.2.6, and 1.3.0 (or above). Users should update to the patched versions. No known workarounds are available.
Published: 2026-03-26
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: File Disclosure
Action: Immediate Patch
AI Analysis

Impact

InvenTree’s report template engine is vulnerable to a path‑traversal flaw that lets a staff‑level user read arbitrary files from the server’s filesystem. By inserting specially crafted template tags into reports, the attacker can access files outside the InvenTree source directory if the process runs with elevated privileges. This can expose sensitive data such as configuration files or credentials, compromising confidentiality.

Affected Systems

The flaw affects the open‑source inventory management system InvenTree released by inventree. Any installation running a pre‑1.2.6 build, or any version before the 1.3.0 release, is vulnerable. The issue is fixed in release 1.2.6 and all versions equal to or newer than 1.3.0. Systems that allow staff users to upload or edit report templates are at risk.

Risk and Exploitability

The CVSS score of 4.9 indicates moderate severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires an authenticated staff account with permission to modify templates, and no additional network access beyond the web interface is needed. The extent of data exposure depends on the privileges of the InvenTree process; if the process runs as root or with high privileges, the attacker could read sensitive system files.

Generated by OpenCVE AI on March 26, 2026 at 22:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade InvenTree to version 1.2.6 or later
  • Verify that staff accounts cannot upload or modify templates containing malicious tags after the upgrade

Generated by OpenCVE AI on March 26, 2026 at 22:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Inventree
Inventree inventree
Vendors & Products Inventree
Inventree inventree

Thu, 26 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
Description InvenTree is an Open Source Inventory Management System. Prior to version 1.2.6, a path traversal vulnerability in the report template engine allows a staff-level user to read arbitrary files from the server filesystem via crafted template tags. Affected functions: `encode_svg_image()`, `asset()`, and `uploaded_image()` in `src/backend/InvenTree/report/templatetags/report.py`. This requires staff access (to upload / edit templates with maliciously crafted tags). If the InvenTree installation is configured with high access privileges on the host system, this path traversal may allow file access outside of the InvenTree source directory. This issue is patched in version 1.2.6, and 1.3.0 (or above). Users should update to the patched versions. No known workarounds are available.
Title InvenTree has Path Traversal In Report Templates
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 4.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Inventree Inventree
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-26T19:40:50.787Z

Reserved: 2026-03-20T18:05:11.830Z

Link: CVE-2026-33531

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-03-26T20:16:15.400

Modified: 2026-03-26T20:16:15.400

Link: CVE-2026-33531

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:25:25Z

Weaknesses