Description
InvoiceShelf is an open-source web & mobile app that helps track expenses, payments and create professional invoices and estimates. Prior to version 2.2.0, a Server-Side Request Forgery (SSRF) vulnerability exists in the Payment receipt PDF generation module. User-supplied HTML in the payment Notes field is passed unsanitised to the Dompdf rendering library, which will fetch any remote resources referenced in the markup. The vulnerability is exploitable directly via the PDF receipt endpoint, regardless of whether automated email attachments are enabled. This issue has been patched in version 2.2.0.
Published: 2026-03-31
Score: 7.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Server‑Side Request Forgery (SSRF) via unsanitised HTML in the payment Notes field
Action: Immediate Patch
AI Analysis

Impact

A Server‑Side Request Forgery vulnerability allows an attacker to trick the PDF rendering library into fetching arbitrary remote resources. The flaw stems from user‑supplied HTML in the payment Notes field being passed unchanged to the Dompdf library, which can resolve external URLs and perform requests on behalf of the server. The weakness is identified as CWE‑918. This results in the ability to access internal network services, exfiltrate data, or trigger internal actions without authentication to the vulnerable endpoint.

Affected Systems

The issue affects the open‑source InvoiceShelf application before version 2.2.0. All installations running any release prior to 2.2.0 are vulnerable. Version 2.2.0, released in the mentioned tag, includes the fix.

Risk and Exploitability

The CVSS score of 7.6 indicates a high impact potential. The EPSS percentage is below 1%, suggesting low current exploitation likelihood, and the vulnerability is not listed in CISA’s KEV catalog. The attack vector is direct; an adversary can submit a malicious Notes field and trigger the PDF receipt endpoint to perform SSRF without needing any additional privileges. No specific user authentication is required to exploit the flaw beyond creating a payment record.

Generated by OpenCVE AI on April 7, 2026 at 23:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade InvoiceShelf to version 2.2.0 or later
  • If an upgrade cannot be performed immediately, disable the PDF receipt generation feature or restrict access to it until a patch is applied
  • Sanitise or remove any user‑supplied HTML in the payment Notes field before passing it to the PDF renderer

Generated by OpenCVE AI on April 7, 2026 at 23:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:invoiceshelf:invoiceshelf:*:*:*:*:*:*:*:*

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Invoiceshelf
Invoiceshelf invoiceshelf
Vendors & Products Invoiceshelf
Invoiceshelf invoiceshelf

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Description InvoiceShelf is an open-source web & mobile app that helps track expenses, payments and create professional invoices and estimates. Prior to version 2.2.0, a Server-Side Request Forgery (SSRF) vulnerability exists in the Payment receipt PDF generation module. User-supplied HTML in the payment Notes field is passed unsanitised to the Dompdf rendering library, which will fetch any remote resources referenced in the markup. The vulnerability is exploitable directly via the PDF receipt endpoint, regardless of whether automated email attachments are enabled. This issue has been patched in version 2.2.0.
Title InvoiceShelf: SSRF in Payment Receipt PDF Rendering via Unsanitised HTML in Notes Field
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N'}

Subscriptions

Invoiceshelf Invoiceshelf
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-01T18:42:09.630Z

Reserved: 2026-03-27T13:43:14.369Z

Link: CVE-2026-34366

cve-icon Vulnrichment

Updated: 2026-04-01T18:42:05.861Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-31T21:16:29.537

Modified: 2026-04-07T15:26:23.597

Link: CVE-2026-34366

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T20:00:06Z

Weaknesses