Plateforme
php
Composant
invoiceshelf
Corrigé dans
2.2.1
A Server-Side Request Forgery (SSRF) vulnerability has been identified in InvoiceShelf, an open-source expense and invoice management application. This flaw, present in versions prior to 2.2.0, allows attackers to leverage user-supplied HTML within the estimate notes field to trigger the fetching of arbitrary remote resources. The vulnerability is directly exploitable through the PDF preview and customer view endpoints, impacting both manual and automated email attachment workflows. A patch is available in version 2.2.0.
The SSRF vulnerability in InvoiceShelf allows an attacker to craft malicious estimates containing HTML that references external resources. When these estimates are processed by the application's Dompdf rendering library, the server will attempt to fetch and render these resources. This can lead to an attacker gaining access to internal resources that are otherwise protected, such as internal APIs or databases. Furthermore, an attacker could potentially use this vulnerability to perform reconnaissance on the internal network, identify other vulnerable services, and ultimately escalate their attack. The lack of sanitization makes this a high-impact vulnerability, as it bypasses standard input validation controls.
This vulnerability was publicly disclosed on 2026-03-31. No public proof-of-concept exploits have been identified at the time of writing, but the SSRF nature of the vulnerability makes it likely that exploits will emerge. The CVSS score of 7.6 (HIGH) indicates a significant risk. It is not currently listed on the CISA KEV catalog.
Organizations utilizing InvoiceShelf for expense and invoice management, particularly those with automated email attachment features enabled, are at risk. Shared hosting environments where multiple users share the same InvoiceShelf instance are also particularly vulnerable, as an attacker could potentially exploit the vulnerability through another user's account.
• php / server:
find /var/www/html/invoiceshelf/ -name 'dompdf.inc.php' -print• generic web:
curl -I 'https://your-invoiceshelf-instance/estimate/preview?notes=<script>alert(1)</script>' # Check for XSS-like responsedisclosure
Statut de l'Exploit
EPSS
0.03% (percentile 10%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2026-34365 is to immediately upgrade InvoiceShelf to version 2.2.0 or later, which includes the necessary fix. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests containing suspicious HTML patterns in the estimate notes field. Additionally, restrict network access to the InvoiceShelf server to only allow necessary outbound connections. Regularly review and audit the application's configuration to ensure that all input validation and sanitization mechanisms are properly implemented. After upgrade, confirm the fix by attempting to generate a PDF estimate with malicious HTML and verifying that the server does not fetch the external resource.
Actualice InvoiceShelf a la versión 2.2.0 o posterior. Esta versión corrige la vulnerabilidad SSRF en el módulo de generación de PDF de estimaciones al sanitizar la entrada HTML en el campo de notas.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2026-34365 is a Server-Side Request Forgery vulnerability in InvoiceShelf versions prior to 2.2.0, allowing attackers to fetch remote resources via unsanitized HTML in estimate notes.
You are affected if you are using InvoiceShelf version 2.2.0 or earlier. Upgrade to 2.2.0 to mitigate the vulnerability.
Upgrade InvoiceShelf to version 2.2.0 or later. As a temporary workaround, implement a WAF rule to block suspicious HTML in estimate notes.
No active exploitation has been confirmed, but the SSRF nature of the vulnerability suggests potential for future exploitation.
Refer to the InvoiceShelf project's official website and GitHub repository for updates and advisories related to CVE-2026-34365.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.