CVE-2026-39362
InvenTree has SSRF via Remote Image Download โ No IP/Hostname Validation on remote_image URLs
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
12th
InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, when INVENTREE_DOWNLOAD_FROM_URL is enabled (opt-in), authenticated users can supply remote_image URLs that are fetched server-side via requests.get() with only Django's URLValidator check. There is no validation against private IP ranges or internal hostnames. Redirects are followed (allow_redirects=True), enabling bypass of any URL-format checks. This vulnerability is fixed in 1.2.7 and 1.3.0.
| CWE | CWE-918 |
| Vendor | inventree |
| Product | inventree |
| Published | Apr 8, 2026 |
| Last Updated | Apr 10, 2026 |
Stay Ahead of the Next One
Get instant alerts for inventree inventree
Be the first to know when new unknown vulnerabilities affecting inventree inventree are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
inventree / InvenTree
< 1.2.7