CVE-2026-33531
Received Received - Intake
Path Traversal in InvenTree Report Template Engine Allows File Access

Publication date: 2026-03-26

Last updated on: 2026-04-01

Assigner: GitHub, Inc.

Description
InvenTree is an Open Source Inventory Management System. Prior to version 1.2.6, a path traversal vulnerability in the report template engine allows a staff-level user to read arbitrary files from the server filesystem via crafted template tags. Affected functions: `encode_svg_image()`, `asset()`, and `uploaded_image()` in `src/backend/InvenTree/report/templatetags/report.py`. This requires staff access (to upload / edit templates with maliciously crafted tags). If the InvenTree installation is configured with high access privileges on the host system, this path traversal may allow file access outside of the InvenTree source directory. This issue is patched in version 1.2.6, and 1.3.0 (or above). Users should update to the patched versions. No known workarounds are available.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-26
Last Modified
2026-04-01
Generated
2026-06-16
AI Q&A
2026-03-26
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33531
EUVD
EUVD-2026-16361
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
inventree_project inventree to 1.2.6 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-33531 is a path traversal vulnerability in the InvenTree Open Source Inventory Management System prior to version 1.2.6. It affects the report template engine, specifically the functions encode_svg_image(), asset(), and uploaded_image() in the report.py file. A staff-level user who can upload or edit report templates can craft malicious template tags to read arbitrary files from the server filesystem.

If the InvenTree installation runs with high privileges on the host system, this vulnerability may allow access to files outside the InvenTree source directory. The issue was fixed in versions 1.2.6 and 1.3.0 by refactoring the affected functions to use Django's storage backend APIs instead of direct filesystem access, thereby mitigating the path traversal risk.

Impact Analysis

This vulnerability allows a staff-level user with the ability to upload or edit report templates to read arbitrary files on the server filesystem. If the InvenTree process runs with elevated privileges, this could lead to unauthorized access to sensitive files outside the application directory.

However, exploitation requires authenticated staff-level access, and no user interaction beyond that is necessary. The vulnerability is rated as low severity with no direct impact on confidentiality, integrity, or availability according to CVSS metrics.

Users should update to the patched versions 1.2.6 or later to mitigate this risk, as no known workarounds exist.

Detection Guidance

This vulnerability requires a staff-level user to upload or edit report templates with maliciously crafted template tags to exploit path traversal. Detection involves monitoring for unauthorized or suspicious template uploads or edits within the InvenTree system.

Since the vulnerability is in specific functions (`encode_svg_image()`, `asset()`, and `uploaded_image()`) in the report template engine, reviewing logs or audit trails for template changes or uploads by staff users may help detect attempts.

No specific detection commands or network signatures are provided in the available information.

Mitigation Strategies

The primary mitigation step is to update the InvenTree installation to version 1.2.6, 1.3.0, or later, where the vulnerability has been patched.

Avoid running the InvenTree process with elevated privileges on the host system, as this reduces the risk of file access outside the source directory.

There are no known workarounds available, so updating to a patched version is essential.

Compliance Impact

The vulnerability allows a staff-level user to read arbitrary files from the server filesystem via crafted template tags if the InvenTree installation is configured with high access privileges. This unauthorized file access could potentially expose sensitive data stored on the server.

Such unauthorized access to sensitive files may impact compliance with data protection regulations like GDPR or HIPAA, which require strict controls on access to personal or protected health information. However, the vulnerability requires authenticated staff-level access and no user interaction beyond that.

The issue is patched in versions 1.2.6 and later, and users are advised to update to these versions to mitigate the risk.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33531. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart