{ "document": { "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this portal to enhance access to its information and vulnerabilities. The use of this information is subject to the following terms and conditions:\n\nThe vulnerabilities disclosed in this portal are gathered by NCSC-NL from a variety of open sources, which the user can retrieve from other platforms. NCSC-NL makes every reasonable effort to ensure that the content of this portal is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or real-time keeping up-to-date. NCSC-NL does not control nor guarantee the accuracy, relevance, timeliness or completeness of information obtained from these external sources. The vulnerabilities disclosed in this portal are intended solely for the convenience of professional parties to take appropriate measures to manage the risks posed to the cybersecurity. No rights can be derived from the information provided therein.\n\nNCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of the vulnerabilities disclosed in this portal. This includes damage resulting from the inaccuracy of incompleteness of the information contained in it.\nThe information on this page is subject to Dutch law. All disputes related to or arising from the use of this portal regarding the disclosure of vulnerabilities will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings." } ], "publisher": { "category": "coordinator", "contact_details": "cert@ncsc.nl", "name": "National Cyber Security Centre", "namespace": "https://www.ncsc.nl/" }, "title": "CVE-2026-27629", "tracking": { "current_release_date": "2026-03-23T03:39:55.257161Z", "generator": { "date": "2026-02-17T15:00:00Z", "engine": { "name": "V.E.L.M.A", "version": "1.7" } }, "id": "CVE-2026-27629", "initial_release_date": "2026-02-25T03:25:25.011104Z", "revision_history": [ { "date": "2026-02-25T03:25:25.011104Z", "number": "1", "summary": "CVE created.| Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (1).| CWES updated (1)." }, { "date": "2026-02-25T03:25:30.771022Z", "number": "2", "summary": "NCSC Score created." }, { "date": "2026-02-25T03:38:53.249185Z", "number": "3", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products created (1).| References created (1).| CWES updated (1)." }, { "date": "2026-02-25T03:38:57.478298Z", "number": "4", "summary": "NCSC Score updated." }, { "date": "2026-02-25T07:35:28.508765Z", "number": "5", "summary": "NCSC Score updated." }, { "date": "2026-02-25T15:13:46.221659Z", "number": "6", "summary": "Source created.| CVE status created. (valid)| EPSS created." }, { "date": "2026-02-25T15:13:47.874576Z", "number": "7", "summary": "NCSC Score updated." }, { "date": "2026-02-26T00:31:59.938950Z", "number": "8", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products connected (33).| Products created (3).| References created (3).| CWES updated (1)." }, { "date": "2026-02-26T00:32:04.831670Z", "number": "9", "summary": "NCSC Score updated." }, { "date": "2026-02-26T22:39:34.300409Z", "number": "10", "summary": "Unknown change." }, { "date": "2026-02-26T22:39:44.581039Z", "number": "11", "summary": "NCSC Score updated." }, { "date": "2026-02-27T20:25:41.256765Z", "number": "12", "summary": "Products created (1).| Product Identifiers created (1)." }, { "date": "2026-02-27T20:25:44.297536Z", "number": "13", "summary": "NCSC Score updated." }, { "date": "2026-03-20T09:40:27.486705Z", "number": "14", "summary": "Source connected.| CVE status created. (valid)| EPSS created." }, { "date": "2026-03-20T09:40:29.695107Z", "number": "15", "summary": "NCSC Score updated." } ], "status": "interim", "version": "15" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/<1.2.3", "product": { "name": "vers:unknown/<1.2.3", "product_id": "CSAFPID-5736320", "product_identification_helper": { "cpe": "cpe:2.3:a:inventree_project:inventree:*:*:*:*:*:*:*:*" } } } ], "category": "product_name", "name": "InvenTree" } ], "category": "vendor", "name": "InvenTree Project" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/<1.2.3", "product": { "name": "vers:unknown/<1.2.3", "product_id": "CSAFPID-5700858" } } ], "category": "product_name", "name": "InvenTree" }, { "branches": [ { "category": "product_version_range", "name": "vers:unknown/0.0.10", "product": { "name": "vers:unknown/0.0.10", "product_id": "CSAFPID-3684263" } }, { "category": "product_version_range", "name": "vers:unknown/0.0.11", "product": { "name": "vers:unknown/0.0.11", "product_id": "CSAFPID-3684264" } }, { "category": "product_version_range", "name": "vers:unknown/0.0.12", "product": { "name": "vers:unknown/0.0.12", "product_id": "CSAFPID-3684265" } }, { "category": "product_version_range", "name": "vers:unknown/0.0.3", "product": { "name": "vers:unknown/0.0.3", "product_id": "CSAFPID-3684266", "product_identification_helper": { "purl": "pkg:pypi/inventree@0.0.3" } } }, { "category": "product_version_range", "name": "vers:unknown/0.0.6", "product": { "name": "vers:unknown/0.0.6", "product_id": "CSAFPID-3684267", "product_identification_helper": { "purl": "pkg:pypi/inventree@0.0.6" } } }, { "category": "product_version_range", "name": "vers:unknown/0.0.8", "product": { "name": "vers:unknown/0.0.8", "product_id": "CSAFPID-3684268", "product_identification_helper": { "purl": "pkg:pypi/inventree@0.0.8" } } }, { "category": "product_version_range", "name": "vers:unknown/0.0.9", "product": { "name": "vers:unknown/0.0.9", "product_id": "CSAFPID-3684269", "product_identification_helper": { "purl": "pkg:pypi/inventree@0.0.9" } } }, { "category": "product_version_range", "name": "vers:unknown/0.1.0", "product": { "name": "vers:unknown/0.1.0", "product_id": "CSAFPID-3684270", "product_identification_helper": { "purl": "pkg:pypi/inventree@0.1.0" } } }, { "category": "product_version_range", "name": "vers:unknown/0.1.1", "product": { "name": "vers:unknown/0.1.1", "product_id": "CSAFPID-3684271", "product_identification_helper": { "purl": "pkg:pypi/inventree@0.1.1" } } }, { "category": "product_version_range", "name": "vers:unknown/0.1.2", "product": { "name": "vers:unknown/0.1.2", "product_id": "CSAFPID-3684272", "product_identification_helper": { "purl": "pkg:pypi/inventree@0.1.2" } } }, { "category": "product_version_range", "name": "vers:unknown/0.1.4", "product": { "name": "vers:unknown/0.1.4", "product_id": "CSAFPID-3684273", "product_identification_helper": { "purl": "pkg:pypi/inventree@0.1.4" } } }, { "category": "product_version_range", "name": "vers:unknown/0.1.5", "product": { "name": "vers:unknown/0.1.5", "product_id": "CSAFPID-3684274" } }, { "category": "product_version_range", "name": "vers:unknown/0.1.6", "product": { "name": "vers:unknown/0.1.6", "product_id": "CSAFPID-3684275" } }, { "category": "product_version_range", "name": "vers:unknown/0.1.7", "product": { "name": "vers:unknown/0.1.7", "product_id": "CSAFPID-3684276" } }, { "category": "product_version_range", "name": "vers:unknown/0.1.8", "product": { "name": "vers:unknown/0.1.8", "product_id": "CSAFPID-3684277" } }, { "category": "product_version_range", "name": "vers:unknown/0.10.0", "product": { "name": "vers:unknown/0.10.0", "product_id": "CSAFPID-3684278" } }, { "category": "product_version_range", "name": "vers:unknown/0.11.0", "product": { "name": "vers:unknown/0.11.0", "product_id": "CSAFPID-3684279" } }, { "category": "product_version_range", "name": "vers:unknown/0.12.0", "product": { "name": "vers:unknown/0.12.0", "product_id": "CSAFPID-3684280" } }, { "category": "product_version_range", "name": "vers:unknown/0.13.0", "product": { "name": "vers:unknown/0.13.0", "product_id": "CSAFPID-3684281" } }, { "category": "product_version_range", "name": "vers:unknown/0.2.0", "product": { "name": "vers:unknown/0.2.0", "product_id": "CSAFPID-3684295" } }, { "category": "product_version_range", "name": "vers:unknown/0.2.1", "product": { "name": "vers:unknown/0.2.1", "product_id": "CSAFPID-3684296" } }, { "category": "product_version_range", "name": "vers:unknown/0.2.2", "product": { "name": "vers:unknown/0.2.2", "product_id": "CSAFPID-3684297" } }, { "category": "product_version_range", "name": "vers:unknown/0.2.3", "product": { "name": "vers:unknown/0.2.3", "product_id": "CSAFPID-3684298" } }, { "category": "product_version_range", "name": "vers:unknown/0.2.4", "product": { "name": "vers:unknown/0.2.4", "product_id": "CSAFPID-3684299", "product_identification_helper": { "purl": "pkg:pypi/inventree@0.2.4" } } }, { "category": "product_version_range", "name": "vers:unknown/0.3.0", "product": { "name": "vers:unknown/0.3.0", "product_id": "CSAFPID-3684300" } }, { "category": "product_version_range", "name": "vers:unknown/0.4.0", "product": { "name": "vers:unknown/0.4.0", "product_id": "CSAFPID-3684301" } }, { "category": "product_version_range", "name": "vers:unknown/0.8.0", "product": { "name": "vers:unknown/0.8.0", "product_id": "CSAFPID-3684302", "product_identification_helper": { "purl": "pkg:pypi/inventree@0.8.0" } } }, { "category": "product_version_range", "name": "vers:unknown/0.9.0", "product": { "name": "vers:unknown/0.9.0", "product_id": "CSAFPID-3684303" } }, { "category": "product_version_range", "name": "vers:unknown/1.2.0", "product": { "name": "vers:unknown/1.2.0", "product_id": "CSAFPID-5721764" } }, { "category": "product_version_range", "name": "vers:unknown/1.2.1", "product": { "name": "vers:unknown/1.2.1", "product_id": "CSAFPID-5721765" } }, { "category": "product_version_range", "name": "vers:unknown/1.2.2", "product": { "name": "vers:unknown/1.2.2", "product_id": "CSAFPID-5721767" } }, { "category": "product_version_range", "name": "vers:unknown/v0.0.11", "product": { "name": "vers:unknown/v0.0.11", "product_id": "CSAFPID-3684304" } }, { "category": "product_version_range", "name": "vers:unknown/v0.0.5", "product": { "name": "vers:unknown/v0.0.5", "product_id": "CSAFPID-3684305" } }, { "category": "product_version_range", "name": "vers:unknown/v0.0.7", "product": { "name": "vers:unknown/v0.0.7", "product_id": "CSAFPID-3684306" } }, { "category": "product_version_range", "name": "vers:unknown/v0.1.3", "product": { "name": "vers:unknown/v0.1.3", "product_id": "CSAFPID-3684307" } }, { "category": "product_version_range", "name": "vers:unknown/v0.7.0", "product": { "name": "vers:unknown/v0.7.0", "product_id": "CSAFPID-3684308" } } ], "category": "product_name", "name": "inventree" } ], "category": "vendor", "name": "inventree" } ] }, "vulnerabilities": [ { "cve": "CVE-2026-27629", "cwe": { "id": "CWE-1336", "name": "Improper Neutralization of Special Elements Used in a Template Engine" }, "notes": [ { "category": "description", "text": "InvenTree is an Open Source Inventory Management System. Prior to version 1.2.3, insecure server-side templates can be hijacked to expose secure information to the client. When generating custom batch codes, the InvenTree server makes use of a customizable jinja2 template, which can be modified by a staff user to exfiltrate sensitive information or perform code execution on the server. This issue requires access by a user with granted staff permissions, followed by a request to generate a custom batch code via the API. Once the template has been modified in a malicious manner, the API call to generate a new batch code could be made by other users, and the template code will be executed with their user context. The code has been patched to ensure that all template generation is performed within a secure sandboxed context. This issue has been addressed in version 1.2.3, and any versions from 1.3.0 onwards. Some workarounds are available. The batch code template is a configurable global setting which can be adjusted via any user with staff access. To prevent this setting from being edited, it can be overridden at a system level to a default value, preventing it from being edited. This requires system administrator access, and cannot be changed from the client side once the server is running. It is recommended that for InvenTree installations prior to 1.2.3 the `STOCK_BATCH_CODE_TEMPLATE` and `PART_NAME_FORMAT` global settings are overridden at the system level to prevent editing.", "title": "nvd - https://nvd.nist.gov/vuln/detail/CVE-2026-27629" }, { "category": "description", "text": "InvenTree is an Open Source Inventory Management System. Prior to version 1.2.3, insecure server-side templates can be hijacked to expose secure information to the client. When generating custom batch codes, the InvenTree server makes use of a customizable jinja2 template, which can be modified by a staff user to exfiltrate sensitive information or perform code execution on the server. This issue requires access by a user with granted staff permissions, followed by a request to generate a custom batch code via the API. Once the template has been modified in a malicious manner, the API call to generate a new batch code could be made by other users, and the template code will be executed with their user context. The code has been patched to ensure that all template generation is performed within a secure sandboxed context. This issue has been addressed in version 1.2.3, and any versions from 1.3.0 onwards. Some workarounds are available. The batch code template is a configurable global setting which can be adjusted via any user with staff access. To prevent this setting from being edited, it can be overridden at a system level to a default value, preventing it from being edited. This requires system administrator access, and cannot be changed from the client side once the server is running. It is recommended that for InvenTree installations prior to 1.2.3 the `STOCK_BATCH_CODE_TEMPLATE` and `PART_NAME_FORMAT` global settings are overridden at the system level to prevent editing.", "title": "cveprojectv5 - https://www.cve.org/CVERecord?id=CVE-2026-27629" }, { "category": "description", "text": "InvenTree is an Open Source Inventory Management System. Prior to version 1.2.3, insecure server-side templates can be hijacked to expose secure information to the client. When generating custom batch codes, the InvenTree server makes use of a customizable jinja2 template, which can be modified by a staff user to exfiltrate sensitive information or perform code execution on the server. This issue requires access by a user with granted staff permissions, followed by a request to generate a custom batch code via the API. Once the template has been modified in a malicious manner, the API call to generate a new batch code could be made by other users, and the template code will be executed with their user context. The code has been patched to ensure that all template generation is performed within a secure sandboxed context. This issue has been addressed in version 1.2.3, and any versions from 1.3.0 onwards. Some workarounds are available. The batch code template is a configurable global setting which can be adjusted via any user with staff access. To prevent this setting from being edited, it can be overridden at a system level to a default value, preventing it from being edited. This requires system administrator access, and cannot be changed from the client side once the server is running. It is recommended that for InvenTree installations prior to 1.2.3 the `STOCK_BATCH_CODE_TEMPLATE` and `PART_NAME_FORMAT` global settings are overridden at the system level to prevent editing.", "title": "osv - https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/GIT%2FCVE-2026-27629.json?alt=media" }, { "category": "other", "text": "0.00132", "title": "EPSS" }, { "category": "other", "text": "5.0", "title": "NCSC Score" }, { "category": "other", "text": "There is product data available from source Nvd", "title": "NCSC Score top increasing factors" }, { "category": "other", "text": "Is related to (a version of) an uncommon product", "title": "NCSC Score top decreasing factors" } ], "product_status": { "known_affected": [ "CSAFPID-5700858", "CSAFPID-3684263", "CSAFPID-3684264", "CSAFPID-3684265", "CSAFPID-3684266", "CSAFPID-3684267", "CSAFPID-3684268", "CSAFPID-3684269", "CSAFPID-3684270", "CSAFPID-3684271", "CSAFPID-3684272", "CSAFPID-3684273", "CSAFPID-3684274", "CSAFPID-3684275", "CSAFPID-3684276", "CSAFPID-3684277", "CSAFPID-3684278", "CSAFPID-3684279", "CSAFPID-3684280", "CSAFPID-3684281", "CSAFPID-3684295", "CSAFPID-3684296", "CSAFPID-3684297", "CSAFPID-3684298", "CSAFPID-3684299", "CSAFPID-3684300", "CSAFPID-3684301", "CSAFPID-3684302", "CSAFPID-3684303", "CSAFPID-3684304", "CSAFPID-3684305", "CSAFPID-3684306", "CSAFPID-3684307", "CSAFPID-3684308", "CSAFPID-5721764", "CSAFPID-5721765", "CSAFPID-5721767", "CSAFPID-5736320" ] }, "references": [ { "category": "external", "summary": "Source - nvd", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27629" }, { "category": "external", "summary": "Source raw - nvd", "url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-27629" }, { "category": "external", "summary": "Source - cveprojectv5", "url": "https://www.cve.org/CVERecord?id=CVE-2026-27629" }, { "category": "external", "summary": "Source raw - cveprojectv5", "url": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/27xxx/CVE-2026-27629.json" }, { "category": "external", "summary": "Source - first", "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-27629" }, { "category": "external", "summary": "Source raw - first", "url": "https://api.first.org/data/v1/epss?limit=10000&offset=0" }, { "category": "external", "summary": "Source - osv", "url": "https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/GIT%2FCVE-2026-27629.json?alt=media" }, { "category": "external", "summary": "Source - first", "url": "https://api.first.org/data/v1/epss?limit=10000&offset=0" }, { "category": "external", "summary": "Reference - cveprojectv5; nvd; osv", "url": "https://github.com/inventree/InvenTree/security/advisories/GHSA-cx85-vr3q-9x4m" }, { "category": "external", "summary": "Reference - osv", "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/27xxx/CVE-2026-27629.json" }, { "category": "external", "summary": "Reference - osv", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27629" } ], "scores": [ { "cvss_v3": { "version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "baseScore": 5.9, "baseSeverity": "MEDIUM" }, "products": [ "CSAFPID-3684263", "CSAFPID-3684264", "CSAFPID-3684265", "CSAFPID-3684266", "CSAFPID-3684267", "CSAFPID-3684268", "CSAFPID-3684269", "CSAFPID-3684270", "CSAFPID-3684271", "CSAFPID-3684272", "CSAFPID-3684273", "CSAFPID-3684274", "CSAFPID-3684275", "CSAFPID-3684276", "CSAFPID-3684277", "CSAFPID-3684278", "CSAFPID-3684279", "CSAFPID-3684280", "CSAFPID-3684281", "CSAFPID-3684295", "CSAFPID-3684296", "CSAFPID-3684297", "CSAFPID-3684298", "CSAFPID-3684299", "CSAFPID-3684300", "CSAFPID-3684301", "CSAFPID-3684302", "CSAFPID-3684303", "CSAFPID-3684304", "CSAFPID-3684305", "CSAFPID-3684306", "CSAFPID-3684307", "CSAFPID-3684308", "CSAFPID-5700858", "CSAFPID-5721764", "CSAFPID-5721765", "CSAFPID-5721767", "CSAFPID-5736320" ] } ], "title": "CVE-2026-27629" } ] }