Platform
other
Component
invoiceshelf
Fixed in
2.2.1
A Server-Side Request Forgery (SSRF) vulnerability has been identified in InvoiceShelf, an open-source web and mobile application for expense and invoice management. This flaw, present in versions prior to 2.2.0, allows attackers to trigger the application to fetch arbitrary remote resources. The vulnerability stems from unsanitized user-supplied HTML in the invoice Notes field, which is passed directly to the Dompdf rendering library. A patch addressing this issue is available in version 2.2.0.
The SSRF vulnerability in InvoiceShelf allows an attacker to leverage the application's PDF generation functionality to make requests to internal or external resources. By injecting malicious HTML into the invoice Notes field, an attacker can craft a request that the application will then execute on behalf of the user. This could lead to unauthorized access to internal services, data exfiltration, or even remote code execution if the targeted resource is vulnerable. The impact is amplified if the application is deployed in an environment with sensitive internal resources or if it interacts with other systems that could be compromised through this SSRF attack. The ability to trigger this via PDF preview and email delivery endpoints expands the potential attack surface.
This vulnerability was publicly disclosed on 2026-03-31. There is currently no indication of active exploitation campaigns targeting InvoiceShelf. The vulnerability's ease of exploitation, combined with the widespread use of InvoiceShelf, could make it an attractive target for opportunistic attackers. No KEV listing is currently available.
Exploit Status
EPSS
0.03% (10% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-34367 is to upgrade InvoiceShelf to version 2.2.0 or later, which includes a fix for the SSRF vulnerability. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to filter out potentially malicious HTML content in the invoice Notes field. Specifically, look for patterns indicative of SSRF attempts, such as URLs or data URIs within the HTML. Additionally, review and restrict the permissions of the application's user accounts to minimize the potential impact of a successful SSRF attack. After upgrading, confirm the fix by attempting to generate a PDF invoice with malicious HTML in the Notes field and verifying that the application does not make unauthorized requests.
Update InvoiceShelf to version 2.2.0 or later. This version fixes the SSRF vulnerability by sanitizing the HTML input in the invoice Notes field. This will prevent the Dompdf library from fetching unwanted remote resources.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34367 is a Server-Side Request Forgery vulnerability in InvoiceShelf versions prior to 2.2.0, allowing attackers to trigger requests to arbitrary remote resources via unsanitized HTML in invoice notes.
You are affected if you are using InvoiceShelf version 2.2.0 or earlier. Upgrade to 2.2.0 to resolve the vulnerability.
Upgrade InvoiceShelf to version 2.2.0 or later. As a temporary workaround, implement a WAF rule to filter malicious HTML in invoice notes.
There is currently no indication of active exploitation, but the vulnerability's ease of exploitation makes it a potential target.
Refer to the InvoiceShelf project's official website and GitHub repository for updates and advisories related to CVE-2026-34367.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.