Insecure Template Hijacking in InvenTree Inventory Management System
CVE-2026-27629

5.9MEDIUM

Key Information:

Vendor: Inventree
Status: Inventree
Vendor: CVE Published:; 25 February 2026

What is CVE-2026-27629?

InvenTree, an Open Source Inventory Management System, is affected by a vulnerability that allows insecure server-side templates to be hijacked. This could result in the exposure of sensitive information or unauthorized code execution on the server. The vulnerability arises when a staff user modifies a customizable Jinja2 template to exfiltrate secure data while generating custom batch codes. Any user can trigger the execution of this malicious template code without direct permission, leading to potential data breaches. The issue has been mitigated in version 1.2.3, which implements secure sandboxing for template execution. Users are encouraged to override critical settings at the system level for installations prior to this version to prevent unauthorized template edits.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

InvenTree < 1.2.3

References

https://github.com/inventree/InvenTree/security/advisorie...

x_refsource_CONFIRM

CVSS V3.1

Score:

5.9

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Feb 25, 2026
Vulnerability Reserved
Feb 20, 2026

JSON

Inventree