CVE-2026-34367

Name of the Vulnerable Software and Affected Versions InvoiceShelf versions prior to 2.2.0

Description InvoiceShelf is a web and mobile application for tracking expenses, payments, and creating invoices and estimates. A Server-Side Request Forgery (SSRF) vulnerability exists in the Invoice PDF generation module in versions prior to 2.2.0. User-supplied HTML within the invoice Notes field is passed without sanitization to the Dompdf rendering library, allowing it to fetch remote resources referenced in the HTML markup. This can be triggered through the PDF preview and email delivery endpoints.

Recommendations Update to version 2.2.0 or later.