CVE-2026-34365
SSRF Vulnerability in InvoiceShelf PDF Generation Module
Publication date: 2026-03-31
Last updated on: 2026-04-07
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| invoiceshelf | invoiceshelf | to 2.2.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
The SSRF vulnerability in InvoiceShelf can have several serious impacts:
- Internal reconnaissance by allowing attackers to probe internal services and ports that are not publicly accessible.
- Potential leakage of sensitive data, including the ability to read local files if the file:// wrapper is enabled.
- Access to cloud metadata endpoints (such as AWS or GCP) which can lead to theft of credentials.
- Conditional remote code execution if Dompdfβs isPhpEnabled option is enabled, allowing embedded PHP code execution.
Can you explain this vulnerability to me?
CVE-2026-34365 is a Server-Side Request Forgery (SSRF) vulnerability found in InvoiceShelf versions prior to 2.2.0, specifically in the Estimate PDF generation module.
The vulnerability occurs because user-supplied HTML content in the estimate Notes field is passed without sanitization to the Dompdf rendering library. Dompdf processes this HTML and fetches any remote resources referenced within it, such as images or stylesheets.
An attacker can exploit this by injecting malicious HTML (for example, an image tag pointing to an attacker-controlled server) into the Notes field. When the PDF preview or customer view endpoints are accessed, Dompdf makes requests to the attackerβs server, enabling SSRF attacks.
This vulnerability is exploitable through multiple endpoints regardless of whether automated email attachments are enabled.
The issue has been fixed in InvoiceShelf version 2.2.0 by sanitizing the HTML input in the Notes field before rendering the PDF.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This SSRF vulnerability can be detected by monitoring for unexpected outbound requests initiated by the InvoiceShelf application, especially those triggered during PDF generation of estimates.
A practical detection method involves injecting a test payload into the Notes field of an estimate that references a remote resource under your control (such as an image URL pointing to a server you monitor). Then, observe if the InvoiceShelf server makes a request to that resource when generating or previewing the PDF.
Network monitoring tools or packet capture commands can help detect such outbound requests. For example, on the server hosting InvoiceShelf, you can use:
- tcpdump -i <interface> host <attacker-controlled-server-ip> and port 80 or 443
- or use curl or wget commands to simulate or test the endpoints:
- curl -X POST https://<invoiceshelf-server>/api/v1/estimates/{estimate}/send -d '{"notes":"<img src=\"http://your-server/test.png\">"}'
- curl https://<invoiceshelf-server>/estimates/pdf/{estimate_unique_hash}
- curl https://<invoiceshelf-server>/customer/estimates/view/{email_log_token}
If the server makes outbound HTTP requests to the test resource, it confirms the SSRF vulnerability.
What immediate steps should I take to mitigate this vulnerability?
The immediate and recommended mitigation step is to upgrade InvoiceShelf to version 2.2.0 or later, where the vulnerability has been patched by sanitizing the HTML input in the Notes field before PDF rendering.
Until the upgrade can be applied, consider restricting access to the vulnerable endpoints and disabling PDF generation features that process user-supplied HTML if possible.
Additionally, monitor and block unexpected outbound HTTP requests from the InvoiceShelf server to prevent exploitation of the SSRF vulnerability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The CVE-2026-34365 vulnerability in InvoiceShelf allows Server-Side Request Forgery (SSRF) through unsanitised user input in the estimate Notes field, potentially leading to sensitive data leakage and unauthorized access to internal services or cloud metadata endpoints.
Such data leakage and unauthorized access could impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding sensitive personal and health information against unauthorized access and breaches.
Specifically, the vulnerability could enable attackers to access internal resources or credentials, increasing the risk of exposure of protected data, thereby violating confidentiality and integrity requirements mandated by these standards.
Remediation by upgrading to InvoiceShelf version 2.2.0, which sanitizes HTML input before PDF rendering, is necessary to mitigate these compliance risks.