Plataforma
other
Componente
invoiceshelf
Corregido en
2.2.1
A Server-Side Request Forgery (SSRF) vulnerability has been identified in InvoiceShelf, an open-source web and mobile application for expense and invoice management. This flaw, present in versions prior to 2.2.0, allows attackers to trigger the application to fetch arbitrary remote resources. The vulnerability stems from unsanitized user-supplied HTML in the invoice Notes field, which is passed directly to the Dompdf rendering library. A patch addressing this issue is available in version 2.2.0.
The SSRF vulnerability in InvoiceShelf allows an attacker to leverage the application's PDF generation functionality to make requests to internal or external resources. By injecting malicious HTML into the invoice Notes field, an attacker can craft a request that the application will then execute on behalf of the user. This could lead to unauthorized access to internal services, data exfiltration, or even remote code execution if the targeted resource is vulnerable. The impact is amplified if the application is deployed in an environment with sensitive internal resources or if it interacts with other systems that could be compromised through this SSRF attack. The ability to trigger this via PDF preview and email delivery endpoints expands the potential attack surface.
This vulnerability was publicly disclosed on 2026-03-31. There is currently no indication of active exploitation campaigns targeting InvoiceShelf. The vulnerability's ease of exploitation, combined with the widespread use of InvoiceShelf, could make it an attractive target for opportunistic attackers. No KEV listing is currently available.
Organizations using InvoiceShelf for expense and invoice management, particularly those with legacy configurations or shared hosting environments, are at risk. Users who rely on the PDF generation functionality and have not implemented input validation measures are especially vulnerable.
• linux / server:
journalctl -u invoiceshelf | grep -i "dompdf" -i "remote resource"• generic web:
curl -I 'https://<invoiceshelf_url>/pdf/preview?invoice_id=<invoice_id>¬es=<malicious_html>' | grep 'Location:'disclosure
Estado del Exploit
EPSS
0.03% (10% percentil)
CISA SSVC
Vector CVSS
The primary mitigation for CVE-2026-34367 is to upgrade InvoiceShelf to version 2.2.0 or later, which includes a fix for the SSRF vulnerability. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to filter out potentially malicious HTML content in the invoice Notes field. Specifically, look for patterns indicative of SSRF attempts, such as URLs or data URIs within the HTML. Additionally, review and restrict the permissions of the application's user accounts to minimize the potential impact of a successful SSRF attack. After upgrading, confirm the fix by attempting to generate a PDF invoice with malicious HTML in the Notes field and verifying that the application does not make unauthorized requests.
Actualice InvoiceShelf a la versión 2.2.0 o posterior. Esta versión corrige la vulnerabilidad SSRF al sanitizar la entrada HTML en el campo de notas de la factura. Esto evitará que la biblioteca Dompdf obtenga recursos remotos no deseados.
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2026-34367 is a Server-Side Request Forgery vulnerability in InvoiceShelf versions prior to 2.2.0, allowing attackers to trigger requests to arbitrary remote resources via unsanitized HTML in invoice notes.
You are affected if you are using InvoiceShelf version 2.2.0 or earlier. Upgrade to 2.2.0 to resolve the vulnerability.
Upgrade InvoiceShelf to version 2.2.0 or later. As a temporary workaround, implement a WAF rule to filter malicious HTML in invoice notes.
There is currently no indication of active exploitation, but the vulnerability's ease of exploitation makes it a potential target.
Refer to the InvoiceShelf project's official website and GitHub repository for updates and advisories related to CVE-2026-34367.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.