Submit #721323: invoiceninja <= 5.12.38. ssrfinfo

Title	invoiceninja <= 5.12.38. ssrf
Description	A Server-Side Request Forgery (SSRF) vulnerability exists in Invoice Ninja <= 5.12.38. The vulnerability is located in the `app/Jobs/Util/Import.php` file within the migration import functionality. The `company_logo` parameter from user-uploaded migration files is not properly validated before being passed to PHP's `copy()` function, allowing authenticated users to make the server send HTTP requests to arbitrary URLs, potentially accessing internal network services, cloud metadata endpoints (AWS/GCP/Azure), and extracting sensitive information including IAM credentials and internal API data.
Source	⚠️ https://note-hxlab.wetolink.com/share/fWqEpn5fX4rH
User	gets (UID 71108)
Submission	12/22/2025 06:09 (4 months ago)
Moderation	01/06/2026 17:20 (15 days later)
Status	Accepted
VulDB entry	339720 [invoiceninja up to 5.12.38 Migration Import Import.php copy company_logo server-side request forgery]
Points	20

Want to know what is going to be exploited?

We predict KEV entries!