CVE-2026-34366

Name of the Vulnerable Software and Affected Versions InvoiceShelf versions prior to 2.2.0

Description InvoiceShelf is a web and mobile application used for expense tracking, payments, and invoice/estimate creation. A Server-Side Request Forgery (SSRF) exists in the Payment receipt PDF generation module in versions prior to 2.2.0. User-supplied HTML within the payment Notes field is passed without sanitization to the Dompdf rendering library, allowing it to fetch remote resources referenced in the markup. The vulnerability is exploitable through the PDF receipt endpoint, regardless of email attachment settings.

Recommendations Update to version 2.2.0 or later.