Cyber Resilience

CVE-2026-34366

HighPublic PoC

Published: 31 March 2026

Published
31 March 2026
Modified
07 April 2026
KEV Added
Patch
CVSS Score v3.1 7.6 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N
EPSS Score 0.0024 15.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-34366 is a high-severity SSRF (CWE-918) vulnerability in Invoiceshelf Invoiceshelf. Its CVSS base score is 7.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-34366 is a Server-Side Request Forgery (SSRF) vulnerability, mapped to CWE-918, affecting the open-source InvoiceShelf web and mobile application used for tracking expenses, payments, and generating professional invoices and estimates. In versions prior to 2.2.0, the Payment receipt PDF generation module passes user-supplied HTML from the payment Notes field unsanitized to the Dompdf rendering library, which fetches any remote resources referenced in the markup.

The vulnerability has a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N) and can be exploited by authenticated users with high privileges via the PDF receipt endpoint, regardless of automated email attachment settings. Successful exploitation allows attackers to force the server to make unauthorized requests to remote resources, resulting in high confidentiality impact through potential access to internal services or data, low integrity impact, and no availability impact.

The issue has been patched in InvoiceShelf version 2.2.0. Advisories recommend updating to this version for mitigation. Additional details are available in the GitHub security advisory at https://github.com/InvoiceShelf/InvoiceShelf/security/advisories/GHSA-38hf-fq8x-q49r and release notes at https://github.com/InvoiceShelf/InvoiceShelf/releases/tag/2.2.0.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

InvoiceShelf is an open-source web & mobile app that helps track expenses, payments and create professional invoices and estimates. Prior to version 2.2.0, a Server-Side Request Forgery (SSRF) vulnerability exists in the Payment receipt PDF generation module. User-supplied HTML in…

more

the payment Notes field is passed unsanitised to the Dompdf rendering library, which will fetch any remote resources referenced in the markup. The vulnerability is exploitable directly via the PDF receipt endpoint, regardless of whether automated email attachments are enabled. This issue has been patched in version 2.2.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1046 Network Service Discovery Discovery
Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation.
Why these techniques?

SSRF in public-facing web app enables T1190 (exploit public-facing application) via the PDF endpoint; facilitates T1046 (network service discovery) by allowing unauthorized requests to internal services/data.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-34365Same product: Invoiceshelf Invoiceshelf
CVE-2026-34367Same product: Invoiceshelf Invoiceshelf
CVE-2026-0613Shared CWE-918
CVE-2026-42860Shared CWE-918
CVE-2025-2997Shared CWE-918
CVE-2026-0686Shared CWE-918
CVE-2025-25785Shared CWE-918
CVE-2025-55150Shared CWE-918
CVE-2026-45082Shared CWE-918
CVE-2026-7094Shared CWE-918

Affected Assets

invoiceshelf
invoiceshelf
≤ 2.2.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation of user-supplied HTML in the payment Notes field to prevent unsanitized input from triggering remote resource fetches in Dompdf.

prevent

Monitors and controls outbound communications at system boundaries to block unauthorized server-side requests to remote or internal resources exploited via SSRF.

prevent

Enforces information flow policies to mediate and restrict server-initiated requests based on user-controlled inputs during PDF generation.

References