CVE-2026-33531

Name of the Vulnerable Software and Affected Versions InvenTree versions prior to 1.2.6 InvenTree versions 1.2.6 through 1.3.0

Description InvenTree is an Open Source Inventory Management System. A path traversal issue exists in the report template engine, allowing a staff-level user to read arbitrary files from the server filesystem through manipulated template tags. The affected functions are encode svg image(), asset(), and uploaded image() located in src/backend/InvenTree/report/templatetags/report.py. Exploitation requires staff access to upload or edit templates with malicious tags. If the InvenTree installation has high access privileges on the host system, this path traversal may enable access to files outside the InvenTree source directory.

Recommendations Update to InvenTree version 1.2.6 or later. Update to InvenTree version 1.3.0 or later. At the moment, there is no information about a newer version that contains a fix for this vulnerability.