216.73.216.226

CVE-2026-33530

· Published 26/03/2026 20:16 · Modified 26/03/2026 20:16

Labels: CVE-2026-33530 2026-03-26CVE-2026-33530CWE-202[email protected]

Essential information

Published
26/03/2026 20:16
Modified
26/03/2026 20:16
Author
Creator
CVSS
7.7 HIGH (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

CVSS metrics

Description

InvenTree is an Open Source Inventory Management System. Prior to version 1.2.6, certain API endpoints associated with bulk data operations can be hijacked to exfiltrate sensitive information from the database. The bulk operation API endpoints (e.g. `/api/part/`, `/api/stock/`, `/api/order/so/allocation/`, and others) accept a filters parameter that is passed directly to Django's ORM queryset.filter(**filters) without any field allowlisting. This enables any authenticated user to traverse model relationships using Django's __ lookup syntax and perform blind boolean-based data extraction. This issue is patched in version 1.2.6, and 1.3.0 (or above). Users should update to the patched versions. No known workarounds are available.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
inventree / inventree cpe:2.3:a:inventree:inventree:<1.2.6:*:*:*:*:*:*:*
inventree / inventree cpe:2.3:a:inventree:inventree:1.2.6:*:*:*:*:*:*:*
inventree / inventree cpe:2.3:a:inventree:inventree:1.3.0:*:*:*:*:*:*:*

References