6.6

CVE-2026-35479

EPSS 0.03%
Veröffentlicht 08.04.2026 19:27:57
Zuletzt bearbeitet 21.04.2026 13:35:16
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, any users who have staff access permissions can install plugins via the API, without requiring "superuser" account access. This level of permission requirement is out of alignment with other plugin actions (such as uninstalling) which do require superuser access. The vulnerability allows staff users (who may be considered to have a lower level of trust than a superuser account) to install arbitrary (and potentially harmful) plugins. This vulnerability is fixed in 1.2.7 and 1.3.0.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Inventree Project ≫ Inventree Version < 1.2.7

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.03%	0.071

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	4.7	1.2	3.4	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
security-advisories@github.com	6.6	2.3	3.7	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L

CWE-285 Improper Authorization

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

https://docs.inventree.org/en/stable/concepts/threat_model/#assumed-trust

Product

https://github.com/inventree/InvenTree/security/advisories/GHSA-7c3q-vwcv-2vp7

Third Party Advisory

https://docs.inventree.org/en/stable/start/config/#plugin-options

Product

https://nvd.nist.gov/vuln/detail/CVE-2026-35479

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-35479

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-35479

EUVD