{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33530", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-20T18:05:11.830Z", "datePublished": "2026-03-26T19:34:51.294Z", "dateUpdated": "2026-03-30T11:24:37.542Z"}, "containers": {"cna": {"title": "InvenTree Vulnerable to ORM Filter Injection", "problemTypes": [{"descriptions": [{"cweId": "CWE-202", "lang": "en", "description": "CWE-202: Exposure of Sensitive Information Through Data Queries", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/inventree/InvenTree/security/advisories/GHSA-m8j2-vfmq-p6qg", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/inventree/InvenTree/security/advisories/GHSA-m8j2-vfmq-p6qg"}, {"name": "https://github.com/inventree/InvenTree/pull/11581", "tags": ["x_refsource_MISC"], "url": "https://github.com/inventree/InvenTree/pull/11581"}], "affected": [{"vendor": "inventree", "product": "InvenTree", "versions": [{"version": "< 1.2.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T19:34:51.294Z"}, "descriptions": [{"lang": "en", "value": "InvenTree is an Open Source Inventory Management System. Prior to version 1.2.6, certain API endpoints associated with bulk data operations can be hijacked to exfiltrate sensitive information from the database. The bulk operation API endpoints (e.g. `/api/part/`, `/api/stock/`, `/api/order/so/allocation/`, and others) accept a filters parameter that is passed directly to Django's ORM queryset.filter(**filters) without any field allowlisting. This enables any authenticated user to traverse model relationships using Django's __ lookup syntax and perform blind boolean-based data extraction. This issue is patched in version 1.2.6, and 1.3.0 (or above). Users should update to the patched versions. No known workarounds are available."}], "source": {"advisory": "GHSA-m8j2-vfmq-p6qg", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-30T11:24:21.708647Z", "id": "CVE-2026-33530", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T11:24:37.542Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33530", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-30T11:24:21.708647Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T11:24:33.767Z"}}], "cna": {"title": "InvenTree Vulnerable to ORM Filter Injection", "source": {"advisory": "GHSA-m8j2-vfmq-p6qg", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "inventree", "product": "InvenTree", "versions": [{"status": "affected", "version": "< 1.2.6"}]}], "references": [{"url": "https://github.com/inventree/InvenTree/security/advisories/GHSA-m8j2-vfmq-p6qg", "name": "https://github.com/inventree/InvenTree/security/advisories/GHSA-m8j2-vfmq-p6qg", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/inventree/InvenTree/pull/11581", "name": "https://github.com/inventree/InvenTree/pull/11581", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "InvenTree is an Open Source Inventory Management System. Prior to version 1.2.6, certain API endpoints associated with bulk data operations can be hijacked to exfiltrate sensitive information from the database. The bulk operation API endpoints (e.g. `/api/part/`, `/api/stock/`, `/api/order/so/allocation/`, and others) accept a filters parameter that is passed directly to Django's ORM queryset.filter(**filters) without any field allowlisting. This enables any authenticated user to traverse model relationships using Django's __ lookup syntax and perform blind boolean-based data extraction. This issue is patched in version 1.2.6, and 1.3.0 (or above). Users should update to the patched versions. No known workarounds are available."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-202", "description": "CWE-202: Exposure of Sensitive Information Through Data Queries"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T19:34:51.294Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33530", "state": "PUBLISHED", "dateUpdated": "2026-03-30T11:24:37.542Z", "dateReserved": "2026-03-20T18:05:11.830Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-26T19:34:51.294Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "InvenTree is an Open Source Inventory Management System. Prior to version 1.2.6, certain API endpoints associated with bulk data operations can be hijacked to exfiltrate sensitive information from the database. The bulk operation API endpoints (e.g. `/api/part/`, `/api/stock/`, `/api/order/so/allocation/`, and others) accept a filters parameter that is passed directly to Django's ORM queryset.filter(**filters) without any field allowlisting. This enables any authenticated user to traverse model relationships using Django's __ lookup syntax and perform blind boolean-based data extraction. This issue is patched in version 1.2.6, and 1.3.0 (or above). Users should update to the patched versions. No known workarounds are available."}, {"lang": "es", "value": "InvenTree es un Sistema de Gesti\u00f3n de Inventario de C\u00f3digo Abierto. Antes de la versi\u00f3n 1.2.6, ciertos endpoints de la API asociados con operaciones de datos masivas pueden ser secuestrados para exfiltrar informaci\u00f3n sensible de la base de datos. Los endpoints de la API de operaciones masivas (por ejemplo, `/api/part/`, `/api/stock/`, `/api/order/so/allocation/`, y otros) aceptan un par\u00e1metro 'filters' que se pasa directamente a `queryset.filter(**filters)` del ORM de Django sin ninguna lista blanca de campos. Esto permite a cualquier usuario autenticado recorrer relaciones de modelos usando la sintaxis de b\u00fasqueda `__` de Django y realizar extracci\u00f3n de datos ciega basada en booleanos. Este problema est\u00e1 parcheado en la versi\u00f3n 1.2.6, y 1.3.0 (o superior). Los usuarios deben actualizar a las versiones parcheadas. No se conocen soluciones alternativas disponibles."}], "id": "CVE-2026-33530", "lastModified": "2026-03-30T13:26:50.827", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-26T20:16:15.237", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/inventree/InvenTree/pull/11581"}, {"source": "security-advisories@github.com", "url": "https://github.com/inventree/InvenTree/security/advisories/GHSA-m8j2-vfmq-p6qg"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-202"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}