प्लेटफ़ॉर्म
python
घटक
inventree
में ठीक किया गया
1.2.4
CVE-2026-35477 is a remote code execution (RCE) vulnerability discovered in InvenTree, an open-source inventory management system. This flaw allows authenticated staff users with settings access to craft malicious templates that bypass validation and execute arbitrary code during rendering. The vulnerability impacts versions 1.2.3 through 1.2.6 and is addressed in version 1.2.7.
An attacker exploiting this vulnerability could gain complete control over the InvenTree server. By crafting a specially designed template, a malicious staff user could execute arbitrary system commands, potentially leading to data breaches, system compromise, and denial of service. The impact is particularly severe as it allows for remote code execution without requiring complex exploits or specialized knowledge, making it accessible to a wider range of attackers. This vulnerability shares similarities with other template injection flaws where insufficient sandboxing allows for code execution.
CVE-2026-35477 was publicly disclosed on 2026-04-08. The vulnerability is not currently listed on KEV, and the EPSS score is pending evaluation. Public proof-of-concept exploits are not yet widely available, but the vulnerability's nature suggests it could be easily exploited once a PoC is released. Refer to the InvenTree security advisory for more details.
Organizations utilizing InvenTree for inventory management, particularly those running vulnerable versions (1.2.3 - 1.2.6) in production environments, are at risk. Shared hosting environments where InvenTree is deployed alongside other applications are also vulnerable, as a compromise of one application could lead to the exploitation of this vulnerability.
• python / server:
import os
import subprocess
def check_invenTree_version():
try:
result = subprocess.check_output(['pip3', 'show', 'invenTree'], stderr=subprocess.STDOUT)
version = result.decode('utf-8').split('Version: ')[1].strip()
if '1.2.3' <= version < '1.2.7':
print("VULNERABLE: InvenTree version detected.")
else:
print("InvenTree version is not vulnerable.")
except FileNotFoundError:
print("InvenTree not found.")
except Exception as e:
print(f"Error checking version: {e}")
check_invenTree_version()• generic web:
curl -I http://your-invenTree-instance/admin/settings/ | grep -i 'jinja2'disclosure
एक्सप्लॉइट स्थिति
EPSS
0.03% (8% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation for CVE-2026-35477 is to immediately upgrade InvenTree to version 1.2.7 or later. If upgrading is not immediately feasible, consider restricting access to settings modification for staff users to only trusted personnel. Implement strict input validation and sanitization for all user-supplied data, particularly template inputs. While a WAF might offer some protection, it's unlikely to be effective against this type of template injection without specific, custom rules. After upgrading, verify the fix by attempting to render a template with potentially malicious code to ensure it is properly sandboxed.
Actualizar InvenTree a la versión 1.2.7 o superior. Esta actualización corrige una vulnerabilidad de inyección de código a través de la manipulación de plantillas, asegurando que el renderizado de nombres de piezas se realice en un entorno sandbox seguro.
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2026-35477 is a remote code execution vulnerability affecting InvenTree versions 1.2.3 through 1.2.6, allowing attackers to execute arbitrary code through a flawed Jinja2 template renderer.
You are affected if you are running InvenTree versions 1.2.3, 1.2.4, 1.2.5, or 1.2.6. Upgrade to version 1.2.7 or later to mitigate the risk.
The recommended fix is to upgrade InvenTree to version 1.2.7 or later. If immediate upgrade is not possible, restrict settings access to trusted users.
While no active exploitation has been publicly confirmed, the vulnerability's nature suggests it could be easily exploited, and monitoring for exploitation is recommended.
Refer to the InvenTree security advisory on their official website or GitHub repository for detailed information and updates.
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।
अपनी requirements.txt फ़ाइल अपलोड करें और तुरंत जानें कि आप प्रभावित हैं या नहीं।