CVE-2026-35477

Name of the Vulnerable Software and Affected Versions InvenTree versions 1.2.3 through 1.2.6

Description InvenTree, an Open Source Inventory Management System, has an issue where a staff user with settings access can craft a template that passes validation but executes arbitrary code during rendering. This occurs because the PART NAME FORMAT validator was upgraded to use a sandboxed Jinja2 environment, but the renderer in part/helpers.py still uses a non-sandboxed environment. The validator also uses a dummy Part instance with a primary key of None, causing conditional template expressions to behave differently during validation and production rendering.

Recommendations Update to version 1.2.7 or 1.3.0