CVE-2026-27629
Server-Side Template Injection in InvenTree Batch Code Generation
Publication date: 2026-02-25
Last updated on: 2026-02-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| inventree_project | inventree | to 1.2.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1336 | The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-27629 is a Server Side Template Injection (SSTI) vulnerability in InvenTree versions prior to 1.2.3. It occurs because the InvenTree server uses customizable Jinja2 templates to generate custom batch codes. Staff users with permission can modify these templates maliciously to exfiltrate sensitive information or execute arbitrary code on the server.'}, {'type': 'paragraph', 'content': "Exploitation requires a staff user to alter the batch code template and then trigger batch code generation via the API. Once the template is compromised, other users' API requests to generate batch codes will execute the malicious template code in their user context."}, {'type': 'paragraph', 'content': 'The vulnerable global settings involved are STOCK_BATCH_CODE_TEMPLATE and PART_NAME_FORMAT. The issue has been fixed in version 1.2.3 and later by sandboxing template generation to prevent unauthorized code execution.'}] [1]
How can this vulnerability impact me? :
This vulnerability can lead to exposure of sensitive information or allow arbitrary code execution on the InvenTree server.
Since the malicious template code executes in the context of other users making API requests, it can compromise the confidentiality, integrity, and availability of the system.
The CVSS v3.1 base score is 5.9 (Moderate), indicating a moderate impact with potential for low confidentiality, integrity, and availability losses.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves checking if your InvenTree installation is running a version prior to 1.2.3 and if the global settings STOCK_BATCH_CODE_TEMPLATE or PART_NAME_FORMAT have been modified by a staff user.
Since exploitation requires a staff user to modify the Jinja2 templates and then generate batch codes via the API, monitoring API requests for batch code generation and auditing changes to these global settings can help detect potential exploitation.
Specific commands are not provided in the available resources, but general steps include:
- Check the InvenTree version to confirm if it is prior to 1.2.3.
- Audit the global settings STOCK_BATCH_CODE_TEMPLATE and PART_NAME_FORMAT for unauthorized or suspicious modifications.
- Review API logs for batch code generation requests, especially those initiated by staff users.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, upgrade your InvenTree installation to version 1.2.3 or later, where the issue has been patched by sandboxing template generation.
If upgrading is not immediately possible, apply the workaround by overriding the STOCK_BATCH_CODE_TEMPLATE and PART_NAME_FORMAT global settings at the system level to default values. This prevents staff users from editing these templates and requires system administrator access.
This override cannot be changed from the client side once the server is running, providing a secure mitigation until an upgrade can be performed.