CVE-2026-34365

Name of the Vulnerable Software and Affected Versions InvoiceShelf versions prior to 2.2.0

Description InvoiceShelf is a web and mobile application used for expense tracking, payments, invoice creation, and estimates. A Server-Side Request Forgery (SSRF) exists in the Estimate PDF generation module in versions prior to 2.2.0. User-supplied HTML within the estimate Notes field is passed without sanitization to the Dompdf rendering library, allowing it to fetch remote resources referenced in the HTML markup. The vulnerability is exploitable through the PDF preview and customer view endpoints.

Recommendations Update to version 2.2.0 or later.