| Title | InvenTree 1.2.6 Server-Side Request Forgery |
|---|
| Description | InvenTree contains a Server-Side Request Forgery (SSRF) vulnerability in its remote image download functionality, where user-supplied URLs are validated only for format using Django’s URLValidator without restricting access to internal or sensitive network locations. The application subsequently performs HTTP requests using requests.get() with redirects enabled, allowing authenticated attackers to supply crafted URLs that target internal services or cloud metadata endpoints such as 169.254.169.254. This can lead to unauthorized access to sensitive information, including cloud instance credentials, and may facilitate further lateral movement within internal infrastructure. |
|---|
| Source | ⚠️ https://github.com/lakshayyverma/CVE-Discovery/blob/main/InvenTree.md |
|---|
| User | lakshay12311 (UID 91298) |
|---|
| Submission | 03/29/2026 12:27 (12 days ago) |
|---|
| Moderation | 04/08/2026 09:23 (10 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 356037 [InvenTree 1.2.6 remote_image server-side request forgery] |
|---|
| Points | 20 |
|---|