CVE-2026-34365
Published: 31 March 2026
Summary
CVE-2026-34365 is a high-severity SSRF (CWE-918) vulnerability in Invoiceshelf Invoiceshelf. Its CVSS base score is 7.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 10.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Validates and sanitizes user-supplied HTML in the Estimate Notes field to block malicious remote resource references before passing to the Dompdf library.
Remediates the SSRF flaw by identifying, testing, and applying the patch released in InvoiceShelf version 2.2.0.
Monitors and controls outbound communications at system boundaries to block unauthorized server requests to internal or sensitive resources triggered by SSRF exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF in public-facing web app directly enables T1190 for initial exploitation; SSRF facilitates internal network probing and service enumeration via T1046.
NVD Description
InvoiceShelf is an open-source web & mobile app that helps track expenses, payments and create professional invoices and estimates. Prior to version 2.2.0, a Server-Side Request Forgery (SSRF) vulnerability exists in the Estimate PDF generation module. User-supplied HTML in the…
more
estimate Notes field is passed unsanitised to the Dompdf rendering library, which will fetch any remote resources referenced in the markup. The vulnerability is exploitable directly via the PDF preview and customer view endpoints regardless of whether automated email attachments are enabled. This issue has been patched in version 2.2.0.
Deeper analysisAI
CVE-2026-34365 is a Server-Side Request Forgery (SSRF) vulnerability, mapped to CWE-918, affecting the open-source InvoiceShelf web and mobile application for tracking expenses, payments, and generating professional invoices and estimates in versions prior to 2.2.0. The flaw exists in the Estimate PDF generation module, where user-supplied HTML entered in the Notes field is passed unsanitized to the Dompdf rendering library, which fetches any remote resources referenced in the markup. It carries a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N).
Users with high privileges can exploit this vulnerability over the network with low attack complexity and no user interaction required, directly via the PDF preview and customer view endpoints, regardless of automated email attachment settings. Exploitation enables the server to make unauthorized requests to remote resources, resulting in high confidentiality impact due to potential access to internal networks or sensitive data, with low integrity impact and no availability disruption, amplified by the changed scope.
The issue has been addressed in InvoiceShelf version 2.2.0. Advisories recommend upgrading to this patched version. Additional details are available in the GitHub security advisory at https://github.com/InvoiceShelf/InvoiceShelf/security/advisories/GHSA-pc5v-8xwc-v9xq and release notes at https://github.com/InvoiceShelf/InvoiceShelf/releases/tag/2.2.0.
Details
- CWE(s)