7.7

CVE-2026-33530

EPSS 0.03%
Veröffentlicht 26.03.2026 19:34:51
Zuletzt bearbeitet 01.04.2026 18:48:48
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

InvenTree is an Open Source Inventory Management System. Prior to version 1.2.6, certain API endpoints associated with bulk data operations can be hijacked to exfiltrate sensitive information from the database. The bulk operation API endpoints (e.g. `/api/part/`, `/api/stock/`, `/api/order/so/allocation/`, and others) accept a filters parameter that is passed directly to Django's ORM queryset.filter(**filters) without any field allowlisting. This enables any authenticated user to traverse model relationships using Django's __ lookup syntax and perform blind boolean-based data extraction. This issue is patched in version 1.2.6, and 1.3.0 (or above). Users should update to the patched versions. No known workarounds are available.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Inventree Project ≫ Inventree Version < 1.2.6

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.03%	0.088

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
security-advisories@github.com	7.7	3.1	4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

CWE-202 Exposure of Sensitive Information Through Data Queries

When trying to keep information confidential, an attacker can often infer some of the information by using statistics.

https://github.com/inventree/InvenTree/security/advisories/GHSA-m8j2-vfmq-p6qg

Vendor Advisory

https://github.com/inventree/InvenTree/pull/11581

Patch

Issue Tracking

https://nvd.nist.gov/vuln/detail/CVE-2026-33530

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-33530

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-33530

EUVD