{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-11T01:32:14.008","vulnerabilities":[{"cve":{"id":"CVE-2026-33530","sourceIdentifier":"security-advisories@github.com","published":"2026-03-26T20:16:15.237","lastModified":"2026-04-01T18:48:48.383","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"InvenTree is an Open Source Inventory Management System. Prior to version 1.2.6, certain API endpoints associated with bulk data operations can be hijacked to exfiltrate sensitive information from the database. The bulk operation API endpoints (e.g. `/api/part/`, `/api/stock/`, `/api/order/so/allocation/`, and others) accept a filters parameter that is passed directly to Django's ORM queryset.filter(**filters) without any field allowlisting. This enables any authenticated user to traverse model relationships using Django's __ lookup syntax and perform blind boolean-based data extraction. This issue is patched in version 1.2.6, and 1.3.0 (or above). Users should update to the patched versions. No known workarounds are available."},{"lang":"es","value":"InvenTree es un Sistema de Gestión de Inventario de Código Abierto. Antes de la versión 1.2.6, ciertos endpoints de la API asociados con operaciones de datos masivas pueden ser secuestrados para exfiltrar información sensible de la base de datos. Los endpoints de la API de operaciones masivas (por ejemplo, `/api/part/`, `/api/stock/`, `/api/order/so/allocation/`, y otros) aceptan un parámetro 'filters' que se pasa directamente a `queryset.filter(**filters)` del ORM de Django sin ninguna lista blanca de campos. Esto permite a cualquier usuario autenticado recorrer relaciones de modelos usando la sintaxis de búsqueda `__` de Django y realizar extracción de datos ciega basada en booleanos. Este problema está parcheado en la versión 1.2.6, y 1.3.0 (o superior). Los usuarios deben actualizar a las versiones parcheadas. No se conocen soluciones alternativas disponibles."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N","baseScore":7.7,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":3.1,"impactScore":4.0},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":3.6}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-202"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:inventree_project:inventree:*:*:*:*:*:*:*:*","versionEndExcluding":"1.2.6","matchCriteriaId":"E308BCC2-3004-4830-92B8-4462819ECD0D"}]}]}],"references":[{"url":"https://github.com/inventree/InvenTree/pull/11581","source":"security-advisories@github.com","tags":["Issue Tracking","Patch"]},{"url":"https://github.com/inventree/InvenTree/security/advisories/GHSA-m8j2-vfmq-p6qg","source":"security-advisories@github.com","tags":["Vendor Advisory"]}]}}]}