Description
InvoiceShelf is an open-source web & mobile app that helps track expenses, payments and create professional invoices and estimates. Prior to version 2.2.0, a Server-Side Request Forgery (SSRF) vulnerability exists in the Estimate PDF generation module. User-supplied HTML in the estimate Notes field is passed unsanitised to the Dompdf rendering library, which will fetch any remote resources referenced in the markup. The vulnerability is exploitable directly via the PDF preview and customer view endpoints regardless of whether automated email attachments are enabled. This issue has been patched in version 2.2.0.
Published: 2026-03-31
Score: 7.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Unrestricted Internal Network Access via SSRF
Action: Immediate Patch
AI Analysis

Impact

A Server‑Side Request Forgery flaw exists in the PDF generation path of InvoiceShelf’s estimating module. User input placed in the Notes field is passed directly to the Dompdf rendering library without HTML sanitisation, allowing an attacker to embed arbitrary URLs in the note. When the PDF is rendered, Dompdf will fetch the referenced remote resource, causing the application server to make outbound requests on the attacker’s behalf. This behaviour can expose internal network services, leak sensitive data, or serve as a stepping‑stone to further exploitation. The vulnerability is scored as CVSS 7.6, indicating high severity.

Affected Systems

All releases of InvoiceShelf prior to version 2.2.0 are vulnerable. The fix is available in release 2.2.0 and later. The product is an open‑source web and mobile application used for managing invoices and estimates.

Risk and Exploitability

The flaw is highly relevant to attackers who can create or edit estimates with custom Notes. Exploitation requires access to the PDF preview or customer view endpoints, which are normally protected by authentication. While the EPSS score is below 1%, signalling a relatively low current exploit probability, the CVSS rating and lack of mitigations mean the vulnerability poses a real risk if left unpatched. It is not present in the CISA KEV catalogue. Attackers would typically learn the vulnerable endpoint by browsing the application, then inject a malicious URL in the Notes field to force the server to fetch internal or external content.

Generated by OpenCVE AI on April 7, 2026 at 23:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update InvoiceShelf to version 2.2.0 or later, which sanitises the Notes field and blocks external resource fetching during PDF rendering.
  • After updating, verify that Dompdf no longer processes untrusted URLs embedded in user‑supplied HTML.
  • If an immediate upgrade is not possible, limit access to the PDF preview/customer view endpoints or enforce server‑side filtering of URLs in the Notes field before PDF generation.

Generated by OpenCVE AI on April 7, 2026 at 23:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:invoiceshelf:invoiceshelf:*:*:*:*:*:*:*:*

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Invoiceshelf
Invoiceshelf invoiceshelf
Vendors & Products Invoiceshelf
Invoiceshelf invoiceshelf

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Description InvoiceShelf is an open-source web & mobile app that helps track expenses, payments and create professional invoices and estimates. Prior to version 2.2.0, a Server-Side Request Forgery (SSRF) vulnerability exists in the Estimate PDF generation module. User-supplied HTML in the estimate Notes field is passed unsanitised to the Dompdf rendering library, which will fetch any remote resources referenced in the markup. The vulnerability is exploitable directly via the PDF preview and customer view endpoints regardless of whether automated email attachments are enabled. This issue has been patched in version 2.2.0.
Title InvoiceShelf: SSRF in Estimate PDF Rendering via Unsanitised HTML in Notes Field
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N'}

Subscriptions

Invoiceshelf Invoiceshelf
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-01T13:42:08.018Z

Reserved: 2026-03-27T13:43:14.369Z

Link: CVE-2026-34365

cve-icon Vulnrichment

Updated: 2026-04-01T13:41:59.330Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-31T20:16:29.307

Modified: 2026-04-07T15:53:39.400

Link: CVE-2026-34365

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T20:00:07Z

Weaknesses