Plattform
other
Komponente
invoiceshelf
Behoben in
2.2.1
A Server-Side Request Forgery (SSRF) vulnerability has been identified in InvoiceShelf, an open-source web and mobile application for expense and invoice management. This flaw, present in versions prior to 2.2.0, allows attackers to trigger the application to fetch arbitrary remote resources. The vulnerability stems from unsanitized user-supplied HTML in the invoice Notes field, which is passed directly to the Dompdf rendering library. A patch addressing this issue is available in version 2.2.0.
The SSRF vulnerability in InvoiceShelf allows an attacker to leverage the application's PDF generation functionality to make requests to internal or external resources. By injecting malicious HTML into the invoice Notes field, an attacker can craft a request that the application will then execute on behalf of the user. This could lead to unauthorized access to internal services, data exfiltration, or even remote code execution if the targeted resource is vulnerable. The impact is amplified if the application is deployed in an environment with sensitive internal resources or if it interacts with other systems that could be compromised through this SSRF attack. The ability to trigger this via PDF preview and email delivery endpoints expands the potential attack surface.
This vulnerability was publicly disclosed on 2026-03-31. There is currently no indication of active exploitation campaigns targeting InvoiceShelf. The vulnerability's ease of exploitation, combined with the widespread use of InvoiceShelf, could make it an attractive target for opportunistic attackers. No KEV listing is currently available.
Organizations using InvoiceShelf for expense and invoice management, particularly those with legacy configurations or shared hosting environments, are at risk. Users who rely on the PDF generation functionality and have not implemented input validation measures are especially vulnerable.
• linux / server:
journalctl -u invoiceshelf | grep -i "dompdf" -i "remote resource"• generic web:
curl -I 'https://<invoiceshelf_url>/pdf/preview?invoice_id=<invoice_id>¬es=<malicious_html>' | grep 'Location:'disclosure
Exploit-Status
EPSS
0.03% (10% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-34367 is to upgrade InvoiceShelf to version 2.2.0 or later, which includes a fix for the SSRF vulnerability. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to filter out potentially malicious HTML content in the invoice Notes field. Specifically, look for patterns indicative of SSRF attempts, such as URLs or data URIs within the HTML. Additionally, review and restrict the permissions of the application's user accounts to minimize the potential impact of a successful SSRF attack. After upgrading, confirm the fix by attempting to generate a PDF invoice with malicious HTML in the Notes field and verifying that the application does not make unauthorized requests.
Aktualisieren Sie InvoiceShelf auf Version 2.2.0 oder höher. Diese Version behebt die SSRF-Schwachstelle, indem die HTML-Eingabe im Feld Notizen der Rechnung bereinigt wird. Dadurch wird verhindert, dass die Dompdf-Bibliothek unerwünschte Remote-Ressourcen abruft.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-34367 is a Server-Side Request Forgery vulnerability in InvoiceShelf versions prior to 2.2.0, allowing attackers to trigger requests to arbitrary remote resources via unsanitized HTML in invoice notes.
You are affected if you are using InvoiceShelf version 2.2.0 or earlier. Upgrade to 2.2.0 to resolve the vulnerability.
Upgrade InvoiceShelf to version 2.2.0 or later. As a temporary workaround, implement a WAF rule to filter malicious HTML in invoice notes.
There is currently no indication of active exploitation, but the vulnerability's ease of exploitation makes it a potential target.
Refer to the InvoiceShelf project's official website and GitHub repository for updates and advisories related to CVE-2026-34367.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.