top of page
perceptive_background_267k.jpg

InvoiceShelf is an open-source web & mobile app that helps track expenses, payments and create professional invoices and estimates. Prior to version 2.2.0, a Se…

Published:

30 March 2026 at 22:00:00

Alert date:

31 March 2026 at 22:03:20

Source:

nvd.nist.gov

Click to open the original link from this advisory

Web Technologies, Enterprise Applications

InvoiceShelf, an open-source invoicing application, contains a Server-Side Request Forgery (SSRF) vulnerability in versions prior to 2.2.0. The vulnerability exists in the Invoice PDF generation module where user-supplied HTML in the invoice Notes field is passed unsanitized to the Dompdf rendering library. This allows attackers to make the server fetch remote resources referenced in malicious markup. The vulnerability can be exploited through PDF preview and email delivery endpoints. The issue has been patched in version 2.2.0.

Technical details

Mitigation steps:

Affected products:

InvoiceShelf

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2026-34367
https://github.com/InvoiceShelf/InvoiceShelf/releases/tag/2.2.0
https://github.com/InvoiceShelf/InvoiceShelf/security/advisories/GHSA-q9wx-ggwq-mcgh

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page