MEDIUM 5.4
PYSEC-2026-823
Inventree vulnerable to Stored Cross-site Scripting
Details
Inventree prior to 0.8.3 is vulnerable to stored cross-site scripting by uploading SVG files. Version 0.8.3 contains a patch for this issue.
Are you affected?
Enter the version of the package you're using.
Affected packages
References
- https://nvd.nist.gov/vuln/detail/CVE-2022-3355 [ADVISORY]
- https://github.com/inventree/inventree/commit/5a08ef908dd5344b4433436a4679d122f7f99e41 [WEB]
- https://github.com/inventree/InvenTree/releases/tag/0.8.3 [WEB]
- https://github.com/inventree/inventree [PACKAGE]
- https://huntr.dev/bounties/4b7fb92c-f06b-4bbf-82dc-9f013b30b6a6 [WEB]
- https://pypi.org/project/inventree [PACKAGE]
- https://github.com/advisories/GHSA-62g7-fpv9-v95f [ADVISORY]