CVE-2026-33531

MEDIUM

InvenTree has Path Traversal In Report Templates

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-33531. PoCs published by alonaki.

AI-analyzed exploit summary This repository provides a detailed technical analysis of CVE-2026-33531, a path traversal vulnerability in InvenTree's report template engine. It includes root cause analysis, affected functions, attack flow, and patch details, but does not contain functional exploit code.

Description

InvenTree is an Open Source Inventory Management System. Prior to version 1.2.6, a path traversal vulnerability in the report template engine allows a staff-level user to read arbitrary files from the server filesystem via crafted template tags. Affected functions: `encode_svg_image()`, `asset()`, and `uploaded_image()` in `src/backend/InvenTree/report/templatetags/report.py`. This requires staff access (to upload / edit templates with maliciously crafted tags). If the InvenTree installation is configured with high access privileges on the host system, this path traversal may allow file access outside of the InvenTree source directory. This issue is patched in version 1.2.6, and 1.3.0 (or above). Users should update to the patched versions. No known workarounds are available.

Exploits (1)

nomisec WRITEUP 2 stars

by alonaki · poc

https://github.com/alonaki/InvenTree-Path-Traversal-CVE-2026-33531

View Code ZIP pw:eip

This repository provides a detailed technical analysis of CVE-2026-33531, a path traversal vulnerability in InvenTree's report template engine. It includes root cause analysis, affected functions, attack flow, and patch details, but does not contain functional exploit code.

Classification

Writeup 100%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: InvenTree < 1.2.6

Auth required

Prerequisites: staff-level access to create/edit report templates · InvenTree installation with elevated filesystem privileges

MITRE ATT&CK

T1005 - Data from Local System T1552 - Unsecured Credentials

devstral-2 · analyzed Apr 08, 2026 Full analysis →

References (2)

Core 2

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/inventree/InvenTree/security/advisories/GHSA-rhc5-7c3r-c769

X_Refsource_Misc x_refsource_misc

https://github.com/inventree/InvenTree/pull/11579

Scores

CVSS v3 6.5

EPSS 0.0029

EPSS Percentile 20.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-89

Status published

Products (2)

inventree/InvenTree < 1.2.6

inventree_project/inventree < 1.2.6

Published Mar 26, 2026

Tracked Since Mar 27, 2026