Server-Side Request Forgery in InvoiceNinja's Migration Import Component
CVE-2026-0649
Key Information:
- Vendor
InvoiceNinja
- Status
- Vendor
- CVE Published:
- 7 January 2026
Badges
What is CVE-2026-0649?
A vulnerability in InvoiceNinja's Migration Import component affects versions up to 5.12.38. The flaw exists in the 'copy' function located in /app/Jobs/Util/Import.php, where improper handling of the 'company_logo' argument allows for server-side request forgery (SSRF). This vulnerability enables attackers to send crafted requests from the server, potentially exposing sensitive data. The issue is publicly known, and proactive measures should be taken to mitigate potential exploitation.
Affected Version(s)
invoiceninja 5.12.0
invoiceninja 5.12.1
invoiceninja 5.12.2
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
CVSS V4
Timeline
- ๐ก
Public PoC available
- ๐พ
Exploit known to exist
Vulnerability published
Vulnerability Reserved
