CVE-2026-34365 - Vulnerability Details

Description

InvoiceShelf is an open-source web & mobile app that helps track expenses, payments and create professional invoices and estimates. Prior to version 2.2.0, a Server-Side Request Forgery (SSRF) vulnerability exists in the Estimate PDF generation module. User-supplied HTML in the estimate Notes field is passed unsanitised to the Dompdf rendering library, which will fetch any remote resources referenced in the markup. The vulnerability is exploitable directly via the PDF preview and customer view endpoints regardless of whether automated email attachments are enabled. This issue has been patched in version 2.2.0.

Published: 2026-03-31

Score: 7.6 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Injecting unsanitised HTML into the Notes field of an estimate causes the Dompdf library to fetch any remote resources referenced in that markup. The application then makes server‑side HTTP requests to attacker‑controlled URLs, enabling a Server‑Side Request Forgery that can reveal internal network information or unprivileged resources.

Affected Systems

InvoiceShelf is an open‑source web and mobile application for managing invoices and estimates. The SSRF vulnerability exists in all releases prior to version 2.2.0, including the 2.1.x series. Users running any unsupported or older version were affected until the 2.2.0 update was released.

Risk and Exploitability

The CVSS base score of 7.6 indicates a moderate to high severity. No EPSS score is publicly available, and the vulnerability is not listed in the CISA KEV catalog. The flaw is exploitable through the PDF preview and customer view endpoints, and does not require authentication; therefore any user can trigger it simply by creating or previewing an estimate with crafted Notes content. The patch in version 2.2.0 removes unsanitised input handling, so applying that update eliminates the risk.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

InvoiceShelf

affected

Version	Status	Constraints
`< 2.2.0`	affected	—

No data.

Vendor Product Confidence Versions

Invoiceshelf

100%

Version	Status	Scheme	Platform
`[0,2.2.0)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update to InvoiceShelf version 2.2.0 or later to remove the SSRF flaw.
If update is not possible, validate or strip HTML in the Notes field before rendering the PDF to prevent remote resource fetching.
Restrict outbound network access from the InvoiceShelf server to limit the impact of a potential SSRF exploitation.
Audit logs to detect unexpected server requests and verify that no sensitive internal endpoints are being accessed.

Generated by OpenCVE AI on April 1, 2026 at 06:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00026.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/InvoiceShelf/InvoiceShelf/releases/tag/2.2.0
https://github.com/InvoiceShelf/InvoiceShelf/security/advisories/GHSA-pc5v-8xwc-v9xq

History

Thu, 02 Apr 2026 20:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Invoiceshelf Invoiceshelf invoiceshelf
Vendors & Products		Invoiceshelf Invoiceshelf invoiceshelf

Wed, 01 Apr 2026 23:45:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 01 Apr 2026 02:15:00 +0000

Type	Values Removed	Values Added
Description		InvoiceShelf is an open-source web & mobile app that helps track expenses, payments and create professional invoices and estimates. Prior to version 2.2.0, a Server-Side Request Forgery (SSRF) vulnerability exists in the Estimate PDF generation module. User-supplied HTML in the estimate Notes field is passed unsanitised to the Dompdf rendering library, which will fetch any remote resources referenced in the markup. The vulnerability is exploitable directly via the PDF preview and customer view endpoints regardless of whether automated email attachments are enabled. This issue has been patched in version 2.2.0.
Title		InvoiceShelf: SSRF in Estimate PDF Rendering via Unsanitised HTML in Notes Field
Weaknesses		CWE-918
References		https://github.com/InvoiceShelf/InvoiceShelf/releases/tag/2.2.0 https://github.com/InvoiceShelf/InvoiceShelf/security/advisories/GHSA-pc5v-8xwc-v9xq
Metrics		cvssV3_1 `{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N'}`

Subscriptions

Invoiceshelf Invoiceshelf

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-31T19:44:06.712Z

Updated: 2026-04-01T13:42:08.018Z

Reserved: 2026-03-27T13:43:14.369Z

Link: CVE-2026-34365

Vulnrichment

Updated: 2026-04-01T13:41:59.330Z

NVD

Status : Awaiting Analysis

Published: 2026-03-31T20:16:29.307

Modified: 2026-04-01T14:23:37.727

Link: CVE-2026-34365

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-02T20:10:59Z

Weaknesses

CWE-918

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object