Home / Vulnerability Intelligence / CVE-2026-33531

CVE-2026-33531 - Vulnerability Analysis

N/a

Last Updated: March 26, 2026

InvenTree - Path Traversal

Published: March 26, 2026Updated: March 26, 2026PoC Available

Overview

InvenTree < 1.2.6 contains a path traversal caused by crafted template tags in report template engine functions encode_svg_image(), asset(), and uploaded_image(), letting staff users read arbitrary files, exploit requires staff access.

Severity & Score

Severity: N/a

Impact

Staff users can read arbitrary files on the server, potentially exposing sensitive information.

Mitigation

Update to version 1.2.6, 1.3.0 or later.

References

https://github.com/inventree/InvenTree/security/advisories/GHSA-rhc5-7c3r-c769
https://github.com/inventree/InvenTree/pull/11579

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-33531
Severity: N/a
Type: path_traversal
Status: new

CWE

CWE-89

CVSS Metrics

N/A