CVE-2026-34367
Published: 31 March 2026
Summary
CVE-2026-34367 is a high-severity SSRF (CWE-918) vulnerability in Invoiceshelf Invoiceshelf. Its CVSS base score is 7.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Validates and sanitizes user-supplied HTML in the invoice Notes field to prevent malicious markup from causing the Dompdf library to fetch arbitrary remote resources.
Remediates the SSRF flaw by applying patches like version 2.2.0, which sanitizes input before passing to Dompdf.
Monitors and controls outbound communications at the system boundary to block unauthorized server-initiated requests to remote or internal resources triggered by SSRF.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF vulnerability in public-facing web app directly enables exploitation of the application for initial access (T1190) and access to internal/cloud metadata services (T1522).
NVD Description
InvoiceShelf is an open-source web & mobile app that helps track expenses, payments and create professional invoices and estimates. Prior to version 2.2.0, a Server-Side Request Forgery (SSRF) vulnerability exists in the Invoice PDF generation module. User-supplied HTML in the…
more
invoice Notes field is passed unsanitised to the Dompdf rendering library, which will fetch any remote resources referenced in the markup. This can be triggered via the PDF preview and email delivery endpoints. This issue has been patched in version 2.2.0.
Deeper analysisAI
CVE-2026-34367 is a Server-Side Request Forgery (SSRF) vulnerability, classified under CWE-918, affecting InvoiceShelf, an open-source web and mobile application for tracking expenses, payments, and generating professional invoices and estimates. The issue resides in the Invoice PDF generation module prior to version 2.2.0, where user-supplied HTML entered in the invoice Notes field is passed unsanitized to the Dompdf rendering library. This allows the library to fetch arbitrary remote resources referenced in the markup during PDF processing.
The vulnerability can be exploited by authenticated users with high privileges (PR:H) over the network (AV:N) with low complexity (AC:L) and no user interaction required (UI:N). Attackers can trigger it via the PDF preview or email delivery endpoints, causing the server to make unintended requests to remote resources. Successful exploitation leads to high confidentiality impact (C:H) with a changed scope (S:C), potentially allowing access to internal services or metadata, alongside low integrity impact (I:L) and no availability impact (A:N), as reflected in the CVSS v3.1 base score of 7.6.
The GitHub security advisory (GHSA-q9wx-ggwq-mcgh) and release notes for version 2.2.0 confirm that the issue has been patched by sanitizing the user-supplied HTML in the Notes field before passing it to Dompdf, preventing unauthorized remote resource fetches. Security practitioners should upgrade to InvoiceShelf 2.2.0 or later and review access controls for invoice editing features.
Details
- CWE(s)