Cyber Resilience

CVE-2026-34365

HighPublic PoC

Published: 31 March 2026

Published
31 March 2026
Modified
07 April 2026
KEV Added
Patch
CVSS Score v3.1 7.6 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N
EPSS Score 0.0024 15.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-34365 is a high-severity SSRF (CWE-918) vulnerability in Invoiceshelf Invoiceshelf. Its CVSS base score is 7.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-34365 is a Server-Side Request Forgery (SSRF) vulnerability, mapped to CWE-918, affecting the open-source InvoiceShelf web and mobile application for tracking expenses, payments, and generating professional invoices and estimates in versions prior to 2.2.0. The flaw exists in the Estimate PDF generation module, where user-supplied HTML entered in the Notes field is passed unsanitized to the Dompdf rendering library, which fetches any remote resources referenced in the markup. It carries a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N).

Users with high privileges can exploit this vulnerability over the network with low attack complexity and no user interaction required, directly via the PDF preview and customer view endpoints, regardless of automated email attachment settings. Exploitation enables the server to make unauthorized requests to remote resources, resulting in high confidentiality impact due to potential access to internal networks or sensitive data, with low integrity impact and no availability disruption, amplified by the changed scope.

The issue has been addressed in InvoiceShelf version 2.2.0. Advisories recommend upgrading to this patched version. Additional details are available in the GitHub security advisory at https://github.com/InvoiceShelf/InvoiceShelf/security/advisories/GHSA-pc5v-8xwc-v9xq and release notes at https://github.com/InvoiceShelf/InvoiceShelf/releases/tag/2.2.0.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

InvoiceShelf is an open-source web & mobile app that helps track expenses, payments and create professional invoices and estimates. Prior to version 2.2.0, a Server-Side Request Forgery (SSRF) vulnerability exists in the Estimate PDF generation module. User-supplied HTML in the…

more

estimate Notes field is passed unsanitised to the Dompdf rendering library, which will fetch any remote resources referenced in the markup. The vulnerability is exploitable directly via the PDF preview and customer view endpoints regardless of whether automated email attachments are enabled. This issue has been patched in version 2.2.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1046 Network Service Discovery Discovery
Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation.
Why these techniques?

SSRF in public-facing web app directly enables T1190 for initial exploitation; SSRF facilitates internal network probing and service enumeration via T1046.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-34366Same product: Invoiceshelf Invoiceshelf
CVE-2026-34367Same product: Invoiceshelf Invoiceshelf
CVE-2026-0613Shared CWE-918
CVE-2026-42860Shared CWE-918
CVE-2025-2997Shared CWE-918
CVE-2026-0686Shared CWE-918
CVE-2025-25785Shared CWE-918
CVE-2025-55150Shared CWE-918
CVE-2026-45082Shared CWE-918
CVE-2026-7094Shared CWE-918

Affected Assets

invoiceshelf
invoiceshelf
≤ 2.2.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Validates and sanitizes user-supplied HTML in the Estimate Notes field to block malicious remote resource references before passing to the Dompdf library.

prevent

Remediates the SSRF flaw by identifying, testing, and applying the patch released in InvoiceShelf version 2.2.0.

preventdetect

Monitors and controls outbound communications at system boundaries to block unauthorized server requests to internal or sensitive resources triggered by SSRF exploitation.

References