Stored XSS in Part IPN in inventree/inventree


Reported on

Jun 11th 2022


The application inventree is vulnerable to Stored XSS in part IPN field.

Proof of Concept

Video PoC link:


This allows the attacker to execute malicious scripts in all the project members browser and it can lead to session hijacking, sensitive data exposure, and worse.

We are processing your report and will contact the inventree team within 24 hours. 15 days ago
Matthias Mair validated this vulnerability 13 days ago

This is a valid vulnerability - it will be fixed within 28 days by the maintainers.

saharshtapi has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Oliver confirmed that a fix has been merged on 26bf51 11 days ago
Oliver has been awarded the fix bounty
10 days ago


@admin Can you assign CVE?

to join this conversation