CVE-2026-34366
Published: 31 March 2026
Summary
CVE-2026-34366 is a high-severity SSRF (CWE-918) vulnerability in Invoiceshelf Invoiceshelf. Its CVSS base score is 7.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 10.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation of user-supplied HTML in the payment Notes field to prevent unsanitized input from triggering remote resource fetches in Dompdf.
Monitors and controls outbound communications at system boundaries to block unauthorized server-side requests to remote or internal resources exploited via SSRF.
Enforces information flow policies to mediate and restrict server-initiated requests based on user-controlled inputs during PDF generation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF in public-facing web app enables T1190 (exploit public-facing application) via the PDF endpoint; facilitates T1046 (network service discovery) by allowing unauthorized requests to internal services/data.
NVD Description
InvoiceShelf is an open-source web & mobile app that helps track expenses, payments and create professional invoices and estimates. Prior to version 2.2.0, a Server-Side Request Forgery (SSRF) vulnerability exists in the Payment receipt PDF generation module. User-supplied HTML in…
more
the payment Notes field is passed unsanitised to the Dompdf rendering library, which will fetch any remote resources referenced in the markup. The vulnerability is exploitable directly via the PDF receipt endpoint, regardless of whether automated email attachments are enabled. This issue has been patched in version 2.2.0.
Deeper analysisAI
CVE-2026-34366 is a Server-Side Request Forgery (SSRF) vulnerability, mapped to CWE-918, affecting the open-source InvoiceShelf web and mobile application used for tracking expenses, payments, and generating professional invoices and estimates. In versions prior to 2.2.0, the Payment receipt PDF generation module passes user-supplied HTML from the payment Notes field unsanitized to the Dompdf rendering library, which fetches any remote resources referenced in the markup.
The vulnerability has a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N) and can be exploited by authenticated users with high privileges via the PDF receipt endpoint, regardless of automated email attachment settings. Successful exploitation allows attackers to force the server to make unauthorized requests to remote resources, resulting in high confidentiality impact through potential access to internal services or data, low integrity impact, and no availability impact.
The issue has been patched in InvoiceShelf version 2.2.0. Advisories recommend updating to this version for mitigation. Additional details are available in the GitHub security advisory at https://github.com/InvoiceShelf/InvoiceShelf/security/advisories/GHSA-38hf-fq8x-q49r and release notes at https://github.com/InvoiceShelf/InvoiceShelf/releases/tag/2.2.0.
Details
- CWE(s)