CVE-2026-39362

Name of the Vulnerable Software and Affected Versions InvenTree versions prior to 1.2.7 and 1.3.0

Description InvenTree, an Open Source Inventory Management System, has an issue where authenticated users can provide remote image URLs when the INVENTREE DOWNLOAD FROM URL setting is enabled. These URLs are fetched server-side using requests.get() with only a Django URL format check. There is no validation against private IP ranges or internal hostnames, and redirects are followed, bypassing URL format checks. This allows for Server-Side Request Forgery.

Recommendations Update to version 1.2.7 or 1.3.0.