Inventree Project Inventree — known CVE vulnerabilities
Every CVE whose affected-product data names Inventree Project Inventree, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (15)
CVE-2022-2112 — CVSS 8.8 (high): Improper Neutralization of Formula Elements in a CSV File in GitHub repository inventree/inventree prior to 0.7.2.
CVE-2022-2111 — CVSS 8.8 (high): Unrestricted Upload of File with Dangerous Type in GitHub repository inventree/inventree prior to 0.7.2.
CVE-2026-35478 — CVSS 8.3 (high): InvenTree is an Open Source Inventory Management System. From 0.16.0 to before 1.2.7, any authenticated InvenTree user can create a valid…
CVE-2026-33530 — CVSS 7.7 (high): InvenTree is an Open Source Inventory Management System. Prior to version 1.2.6, certain API endpoints associated with bulk data operations…
CVE-2024-47610 — CVSS 7.3 (high): InvenTree is an Open Source Inventory Management System. In affected versions of InvenTree it is possible for a registered user to store…
CVE-2026-35476 — CVSS 7.2 (high): InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, a non-staff authenticated user can elevate their account…
CVE-2026-39362 — CVSS 7.1 (high): InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, when INVENTREE_DOWNLOAD_FROM_URL is enabled (opt-in)…
CVE-2026-35479 — CVSS 6.6 (medium): InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, any users who have staff access permissions can install…
CVE-2026-33531 — CVSS 6.5 (medium): InvenTree is an Open Source Inventory Management System. Prior to version 1.2.6, a path traversal vulnerability in the report template…
CVE-2022-2134 — CVSS 6.5 (medium): Allocation of Resources Without Limits or Throttling in GitHub repository inventree/inventree prior to 0.8.0.
CVE-2026-27629 — CVSS 5.9 (medium): InvenTree is an Open Source Inventory Management System. Prior to version 1.2.3, insecure server-side templates can be hijacked to expose…
CVE-2026-35477 — CVSS 5.5 (medium): InvenTree is an Open Source Inventory Management System. From 1.2.3 to 1.2.6, the fix for CVE-2026-27629 upgraded the PART_NAME_FORMAT…
CVE-2025-49000 — CVSS 3.5 (low): InvenTree is an Open Source Inventory Management System. Prior to version 0.17.13, the skip field in the built-in `label-sheet` plugin…