Description
InvoiceShelf is an open-source web & mobile app that helps track expenses, payments and create professional invoices and estimates. Prior to version 2.2.0, a Server-Side Request Forgery (SSRF) vulnerability exists in the Invoice PDF generation module. User-supplied HTML in the invoice Notes field is passed unsanitised to the Dompdf rendering library, which will fetch any remote resources referenced in the markup. This can be triggered via the PDF preview and email delivery endpoints. This issue has been patched in version 2.2.0.
Published: 2026-03-31
Score: 7.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Server‑Side Request Forgery
Action: Patch Immediately
AI Analysis

Impact

The vulnerability allows user‑supplied, unsanitised HTML in the Notes field of an invoice to be rendered by the Dompdf library, which can fetch any remote resources referenced in the markup. This permits an attacker to force the server to make arbitrary outbound HTTP requests to internal or external addresses, potentially exposing sensitive data, accessing privileged services, or facilitating further attacks. The weakness corresponds to the Server‑Side Request Forgery category (CWE‑918).

Affected Systems

Invoices managed using the open‑source InvoiceShelf application are affected when running any version earlier than 2.2.0. The problem is resolved in the 2.2.0 release, as indicated by the vendor’s security advisory.

Risk and Exploitability

The CVSS score of 7.6 assigns this issue a high severity rating, while an EPSS score below 1% suggests a low probability of spontaneous exploitation in current threat data. It is not listed in the CISA Known Exploited Vulnerabilities catalog. The description implies that the attack vector would involve accessing the PDF preview or email sending endpoints, though any authentication or permission prerequisites are not explicitly documented.

Generated by OpenCVE AI on April 9, 2026 at 21:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check that the InvoiceShelf instance is running a version newer than 2.2.0; if not, plan and execute a timely upgrade to the latest release.

Generated by OpenCVE AI on April 9, 2026 at 21:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:invoiceshelf:invoiceshelf:*:*:*:*:*:*:*:*

Fri, 03 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Invoiceshelf
Invoiceshelf invoiceshelf
Vendors & Products Invoiceshelf
Invoiceshelf invoiceshelf

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Description InvoiceShelf is an open-source web & mobile app that helps track expenses, payments and create professional invoices and estimates. Prior to version 2.2.0, a Server-Side Request Forgery (SSRF) vulnerability exists in the Invoice PDF generation module. User-supplied HTML in the invoice Notes field is passed unsanitised to the Dompdf rendering library, which will fetch any remote resources referenced in the markup. This can be triggered via the PDF preview and email delivery endpoints. This issue has been patched in version 2.2.0.
Title InvoiceShelf: SSRF in Invoice PDF Rendering via Unsanitised HTML in Notes Field
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N'}

Subscriptions

Invoiceshelf Invoiceshelf
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-03T16:25:18.501Z

Reserved: 2026-03-27T13:43:14.369Z

Link: CVE-2026-34367

cve-icon Vulnrichment

Updated: 2026-04-03T16:25:12.402Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-31T21:16:29.687

Modified: 2026-04-09T19:31:34.090

Link: CVE-2026-34367

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:45:57Z

Weaknesses