CVE-2026-27629
CVE-2026-27629 is a medium-severity vulnerability in Inventree Project Inventree with a CVSS 3.x base score of 5.9. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-1336.
Key facts
- Severity: Medium (CVSS 3.x base score 5.9)
- EPSS exploit prediction: 0% (17th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2026-8602
- Weakness: CWE-1336
- Affected product: Inventree Project Inventree
- Published:
- Last modified:
Description
InvenTree is an Open Source Inventory Management System. Prior to version 1.2.3, insecure server-side templates can be hijacked to expose secure information to the client. When generating custom batch codes, the InvenTree server makes use of a customizable jinja2 template, which can be modified by a staff user to exfiltrate sensitive information or perform code execution on the server. This issue requires access by a user with granted staff permissions, followed by a request to generate a custom batch code via the API. Once the template has been modified in a malicious manner, the API call to generate a new batch code could be made by other users, and the template code will be executed with their user context. The code has been patched to ensure that all template generation is performed within a secure sandboxed context. This issue has been addressed in version 1.2.3, and any versions from 1.3.0 onwards. Some workarounds are available. The batch code template is a configurable global setting which can be adjusted via any user with staff access. To prevent this setting from being edited, it can be overridden at a system level to a default value, preventing it from being edited. This requires system administrator access, and cannot be changed from the client side once the server is running. It is recommended that for InvenTree installations prior to 1.2.3 the `STOCK_BATCH_CODE_TEMPLATE` and `PART_NAME_FORMAT` global settings are overridden at the system level to prevent editing.
Frequently asked questions
- What is CVE-2026-27629?
- InvenTree is an Open Source Inventory Management System. Prior to version 1.2.3, insecure server-side templates can be hijacked to expose secure information to the client. When generating custom batch codes, the InvenTree server makes use of a customizable jinja2 template, which can be modified by a staff user to exfiltrate sensitive information or perform code execution on the server. This issue requires access by a user with granted staff permissions, followed by a request to generate a custom batch code via the API. Once the template has been modified in a malicious manner, the API call to generate a new batch code could be made by other users, and the template code will be executed with their user context. The code has been patched to ensure that all template generation is performed within a secure sandboxed context. This issue has been addressed in version 1.2.3, and any versions from 1.3.0 onwards. Some workarounds are available. The batch code template is a configurable global setting which can be adjusted via any user with staff access. To prevent this setting from being edited, it can be overridden at a system level to a default value, preventing it from being edited. This requires system administrator access, and cannot be changed from the client side once the server is running. It is recommended that for InvenTree installations prior to 1.2.3 the `STOCK_BATCH_CODE_TEMPLATE` and `PART_NAME_FORMAT` global settings are overridden at the system level to prevent editing.
- How severe is CVE-2026-27629?
- CVE-2026-27629 has a CVSS 3.x base score of 5.9, rated medium severity. It is exploitable over an adjacent network with low attack complexity, requires low privileges and user interaction. Impact on confidentiality is low, integrity low, and availability low.
- Is CVE-2026-27629 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (17th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2026-27629?
- CVE-2026-27629 affects Inventree Project Inventree. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2026-27629?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- Does CVE-2026-27629 have an EU (EUVD) identifier?
- Yes. CVE-2026-27629 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-8602.
- When was CVE-2026-27629 published?
- CVE-2026-27629 was published on 2026-02-25 and last updated on 2026-06-17.
References
Affected products (1)
- cpe:2.3:a:inventree_project:inventree:*:*:*:*:*:*:*:*
More vulnerabilities in Inventree Project Inventree
- CVE-2022-2112 — High (CVSS 8.8): Improper Neutralization of Formula Elements in a CSV File in GitHub repository inventree/inventree prior to 0.7.2.
- CVE-2022-2111 — High (CVSS 8.8): Unrestricted Upload of File with Dangerous Type in GitHub repository inventree/inventree prior to 0.7.2.
- CVE-2026-35478 — High (CVSS 8.3): InvenTree is an Open Source Inventory Management System. From 0.16.0 to before 1.2.7, any authenticated InvenTree user…
- CVE-2026-33530 — High (CVSS 7.7): InvenTree is an Open Source Inventory Management System. Prior to version 1.2.6, certain API endpoints associated with…
- CVE-2024-47610 — High (CVSS 7.3): InvenTree is an Open Source Inventory Management System. In affected versions of InvenTree it is possible for a…
- CVE-2026-35476 — High (CVSS 7.2): InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, a non-staff authenticated user can…
All CVEs affecting Inventree Project Inventree →
Other CWE-1336 vulnerabilities
- CVE-2025-53833 — Critical (CVSS 10.0): LaRecipe is an application that allows users to create documentation with Markdown inside a Laravel app. Versions prior…
- CVE-2024-32651 — Critical (CVSS 10.0): changedetection.io is an open source web page change detection, website watcher, restock monitor and notification…
- CVE-2026-45312 — Critical (CVSS 9.9): RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. In 0.24.0 and earlier, a Jinja2 template…
- CVE-2026-9558 — Critical (CVSS 9.9): A Server-Side Template Injection (SSTI) vulnerability exists in Mautic's theme engine. The platform renders uploaded…
- CVE-2026-33897 — Critical (CVSS 9.9): Incus is a system container and virtual machine manager. Prior to version 6.23.0, instance template files can be used…
- CVE-2026-1868 — Critical (CVSS 9.9): GitLab has remediated a vulnerability in the Duo Workflow Service component of GitLab AI Gateway affecting all versions…