Cyber Resilience

CVE-2026-34367

HighPublic PoC

Published: 31 March 2026

Published
31 March 2026
Modified
09 April 2026
KEV Added
Patch
CVSS Score v3.1 7.6 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N
EPSS Score 0.0026 17.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-34367 is a high-severity SSRF (CWE-918) vulnerability in Invoiceshelf Invoiceshelf. Its CVSS base score is 7.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-34367 is a Server-Side Request Forgery (SSRF) vulnerability, classified under CWE-918, affecting InvoiceShelf, an open-source web and mobile application for tracking expenses, payments, and generating professional invoices and estimates. The issue resides in the Invoice PDF generation module prior to version 2.2.0, where user-supplied HTML entered in the invoice Notes field is passed unsanitized to the Dompdf rendering library. This allows the library to fetch arbitrary remote resources referenced in the markup during PDF processing.

The vulnerability can be exploited by authenticated users with high privileges (PR:H) over the network (AV:N) with low complexity (AC:L) and no user interaction required (UI:N). Attackers can trigger it via the PDF preview or email delivery endpoints, causing the server to make unintended requests to remote resources. Successful exploitation leads to high confidentiality impact (C:H) with a changed scope (S:C), potentially allowing access to internal services or metadata, alongside low integrity impact (I:L) and no availability impact (A:N), as reflected in the CVSS v3.1 base score of 7.6.

The GitHub security advisory (GHSA-q9wx-ggwq-mcgh) and release notes for version 2.2.0 confirm that the issue has been patched by sanitizing the user-supplied HTML in the Notes field before passing it to Dompdf, preventing unauthorized remote resource fetches. Security practitioners should upgrade to InvoiceShelf 2.2.0 or later and review access controls for invoice editing features.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

InvoiceShelf is an open-source web & mobile app that helps track expenses, payments and create professional invoices and estimates. Prior to version 2.2.0, a Server-Side Request Forgery (SSRF) vulnerability exists in the Invoice PDF generation module. User-supplied HTML in the…

more

invoice Notes field is passed unsanitised to the Dompdf rendering library, which will fetch any remote resources referenced in the markup. This can be triggered via the PDF preview and email delivery endpoints. This issue has been patched in version 2.2.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1552.005 Cloud Instance Metadata API Credential Access
Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.
Why these techniques?

SSRF vulnerability in public-facing web app directly enables exploitation of the application for initial access (T1190) and access to internal/cloud metadata services (T1522).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-34366Same product: Invoiceshelf Invoiceshelf
CVE-2026-34365Same product: Invoiceshelf Invoiceshelf
CVE-2026-33039Shared CWE-918
CVE-2026-33351Shared CWE-918
CVE-2025-54122Shared CWE-918
CVE-2026-25545Shared CWE-918
CVE-2026-41905Shared CWE-918
CVE-2025-50180Shared CWE-918
CVE-2026-28423Shared CWE-918
CVE-2026-42595Shared CWE-918

Affected Assets

invoiceshelf
invoiceshelf
≤ 2.2.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Validates and sanitizes user-supplied HTML in the invoice Notes field to prevent malicious markup from causing the Dompdf library to fetch arbitrary remote resources.

prevent

Remediates the SSRF flaw by applying patches like version 2.2.0, which sanitizes input before passing to Dompdf.

preventdetect

Monitors and controls outbound communications at the system boundary to block unauthorized server-initiated requests to remote or internal resources triggered by SSRF.

References