inventree/inventree-website
2
0
Fork 0
mirror of https://github.com/inventree/inventree-website.git synced 2026-04-05 02:40:59 +00:00
Code Activity

deploy: bc41cb8a42

Browse Source
This commit is contained in:
matmair
2026-03-26 07:11:16 +00:00
parent 5da57d81eb
commit 4af8df52bc
40 changed files with 565 additions and 133 deletions
Download Patch File Download Diff File Expand all files Collapse all files

204
blog/2026/03/25/security-release.html Normal file
View File

@@ -0,0 +1,204 @@
<!DOCTYPE html>
<html lang=" en-US ">
<head>
<meta charset="UTF-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet" href="/assets/splide/css/splide.min.css">
<link rel="stylesheet" href="/assets/index.css">
<link rel="shortcut icon" type="image/png" href="/assets/icon/favicon.ico">
<script src="/assets/splide/js/splide.min.js"></script>
<!-- Fontawesome integration -->
<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.2.1/css/all.min.css">
<title>InvenTree - Action required - Upcoming Security Release</title>
<meta itemprop="description" name="description"
content="InvenTree is an open-source inventory management system which provides intuitive parts management and stock control. It is at the center of an ecosystem of a..." />
<!-- Begin Jekyll SEO tag v2.8.0 -->
<title>Action required - Upcoming Security Release | InvenTree</title>
<meta name="generator" content="Jekyll v4.4.1" />
<meta property="og:title" content="Action required - Upcoming Security Release" />
<meta name="author" content="matmair" />
<meta property="og:locale" content="en_US" />
<meta name="description" content="The InvenTree core development team has received a report of a critical security vulnerability affecting a large range of releases since 2024. We will release a disclosure and a fixed release for the 1.2.x release series on 2026-04-08 21:00 UTC. The vulnerability allows for lateral movement and privilege escalation within an InvenTree instance. It has a low attack complexity." />
<meta property="og:description" content="The InvenTree core development team has received a report of a critical security vulnerability affecting a large range of releases since 2024. We will release a disclosure and a fixed release for the 1.2.x release series on 2026-04-08 21:00 UTC. The vulnerability allows for lateral movement and privilege escalation within an InvenTree instance. It has a low attack complexity." />
<link rel="canonical" href="/blog/2026/03/25/security-release" />
<meta property="og:url" content="/blog/2026/03/25/security-release" />
<meta property="og:site_name" content="InvenTree" />
<meta property="og:type" content="article" />
<meta property="article:published_time" content="2026-03-25T00:00:00+00:00" />
<meta name="twitter:card" content="summary" />
<meta property="twitter:title" content="Action required - Upcoming Security Release" />
<script type="application/ld+json">
{"@context":"https://schema.org","@type":"BlogPosting","author":{"@type":"Person","name":"matmair"},"dateModified":"2026-03-25T00:00:00+00:00","datePublished":"2026-03-25T00:00:00+00:00","description":"The InvenTree core development team has received a report of a critical security vulnerability affecting a large range of releases since 2024. We will release a disclosure and a fixed release for the 1.2.x release series on 2026-04-08 21:00 UTC. The vulnerability allows for lateral movement and privilege escalation within an InvenTree instance. It has a low attack complexity.","headline":"Action required - Upcoming Security Release","mainEntityOfPage":{"@type":"WebPage","@id":"/blog/2026/03/25/security-release"},"url":"/blog/2026/03/25/security-release"}</script>
<!-- End Jekyll SEO tag -->
</head>
<body class="flex flex-col antialiased cm-gray-1 min-h-screen">
<div class="flex-none">
<header class="cm-gray-2 body-font sticky top-0 z-50 bg-gradient-to-r from-white to-secondary">
<div class="container mx-auto flex flex-wrap p-5 flex-row items-center">
<a class="flex title-font font-medium items-center cm-gray-1 mb-0 mr-2" href="/">
<img src="/assets/logo.png" alt="logo" height="32" width="32" class="h-8">
<span class="ml-3 text-xl">InvenTree</span>
</a>
<div class="flex-grow xs:flex-none"></div>
<nav class="md:mr-auto md:py-1 xs:ml-4 xs:pl-4 xs:border-l xs:border-gray-400 flex flex-wrap items-center text-base justify-center">
<a class="mr-5 hover:cm-gray-1" href="/deploy.html">Deploy</a>
<a class="mr-5 hover:cm-gray-1" href="https://docs.inventree.org/en/stable/">Docs</a>
<a class="mr-5 hover:cm-gray-1" href="/blog">Blog</a>
</nav>
</div>
</header> <header>
<a href="/blog" class="flex items-center m-5 text-xl hover:underline">
<img class="w-6 h-6" alt="go back" src="/assets/back.svg">
<span>Back</span>
</a>
</header>
<article>
<h1>Action required - Upcoming Security Release</h1>
<p>
25 Mar 2026
<a href="/matmair">Matthias Mair</a>
</p>
<p>The InvenTree core development team has received a report of a <em>critical security vulnerability</em> affecting a large range of releases since 2024. We will release a disclosure and a fixed release for the 1.2.x release series on 2026-04-08 21:00 UTC.<br>
The vulnerability allows for lateral movement and privilege escalation within an InvenTree instance. It has a low attack complexity.</p>
<h2 id="steps-to-take-now">Steps to take now</h2>
<p>We are not aware of active exploitation of this vulnerability, but we recommend that users take the following steps to mitigate risks:</p>
<ul>
<li>Do <em>not</em> expose your InvenTree instance to the public internet without hardening steps as laid out in the <a href="https://docs.inventree.org/en/stable/concepts/threat_model/">threat model</a>
</li>
<li>Ensure <em>registration is disabled</em> till the release</li>
<li>Ensure you <em>trust all users registered</em> on your instance, especially those with staff or higher permissions</li>
</ul>
<p>The vulnerability has a low complexity and can be expected to be exploited once released. It is important to prepare to update or take your system off the public internet.</p>
<h2 id="security-policy">Security Policy</h2>
<p>As always with security related themes we remind all users, security researchers, and intrested parties of our <a href="https://inventree.readthedocs.io/en/stable/security/">security policy</a>.</p>
<p>If you have discovered a security vulnerability, please report it to us via the channels described in the policy. We take all reports seriously and will work to address any vulnerabilities in a timely manner.</p>
<p>We would like to thank the security researcher who reported this and several other vulnerabilities in a responsible manner, and we encourage others to do the same in the future. The reporter will be credited in the disclosure and CVE entry.</p>
</article>
</div>
<div class="flex-grow"></div>
<div class="flex-none">
<footer class="cm-gray-2 body-font">
<div class="container px-5 pt-8 mx-auto flex md:flex-row md:flex-nowrap flex-wrap flex-col">
<div class="w-64 flex-shrink-0 md:mx-0 mx-auto text-center md:text-left">
<div class="flex title-font font-medium items-center md:justify-start justify-center cm-gray-1">
<img src="/assets/logo.png" alt="logo" height="32" width="32" class="h-8">
<span class="ml-3 text-xl">InvenTree</span>
</div>
<p class="mt-2 text-sm cm-gray-3">Intuitive Inventory Management</p>
</div>
<div class="flex-grow flex flex-wrap md:pl-10 mb-1 md:mt-0 mt-10 md:text-left text-center md:justify-left justify-center">
<div class="md:w-1/4 px-4">
<h2 class="footer-categorie title-font">
Quick
</h2>
<nav class="list-none mb-10"><ul>
<li><a href="/demo.html" class="footer-link">Demo</a></li>
<li><a href="/deploy.html" class="footer-link">Deploy</a></li>
<li><a href="https://docs.inventree.org/en/stable/" class="footer-link">Docs</a></li>
<li><a href="/news" class="footer-link">News</a></li>
<li><a href="/plugins" class="footer-link">Plugin List</a></li>
</ul></nav>
</div>
<div class="md:w-1/4 px-4">
<h2 class="footer-categorie title-font">
<a href="/extend/">Ecosystem</a>
</h2>
<nav class="list-none mb-10"><ul>
<li><a href="/extend/api.html" class="footer-link">API</a></li>
<li><a href="/extend/app.html" class="footer-link">App</a></li>
<li><a href="/extend/plugin/" class="footer-link">Plugins</a></li>
<li><a href="/extend/integrate/" class="footer-link">Integrations</a></li>
</ul></nav>
</div>
<div class="md:w-1/4 px-4">
<h2 class="footer-categorie title-font">
Sitemap
</h2>
<nav class="list-none mb-10"><ul>
<li><a href="/about/" class="footer-link">About</a></li>
<li><a href="/alternatives/" class="footer-link">Alternatives</a></li>
<li><a href="/blog" class="footer-link">Blog</a></li>
<li><a href="/contribute.html" class="footer-link">Contribute</a></li>
<li><a href="/support.html" class="footer-link">Support</a></li>
</ul></nav>
</div>
</div>
</div>
<div class="bg-gray-100">
<div class="container mx-auto py-4 px-5 flex flex-wrap flex-col sm:flex-row">
<p class="cm-gray-2 text-sm text-center sm:text-left">© 2021-now InvenTree by<a href="https://github.com/inventree" rel="noopener" class="cm-gray-2 ml-1" target="_blank">@inventree</a>— website made with ♥ by<a href="https://github.com/matmair" rel="noopener" class="cm-gray-2 ml-1" target="_blank">@matmair</a></p>
<span class="inline-flex sm:ml-auto sm:mt-0 mt-2 justify-center sm:justify-start">
<span class="invisible"><a rel="me" href="https://chaos.social/@InvenTree">Mastodon</a></span>
<a href="https://github.com/inventree/inventree" alt="github repo" class="ml-3 cm-gray-3">
<img class="h-5 w-5" alt="GitHub logo" src="/assets/github.svg">
</a>
<a href="https://reddit.com/r/inventree" alt="Reddit" class="ml-3 cm-gray-3">
<img class="h-5 w-5" alt="Reddit logo" src="/assets/reddit.svg">
</a>
<a href="https://twitter.com/inventreedb" alt="Twitter" class="ml-3 cm-gray-3">
<img class="h-5 w-5" alt="Twitter logo" src="/assets/twitter.svg">
</a>
<a href="https://chaos.social/@InvenTree" rel="me" alt="Mastodon" class="ml-3 cm-gray-3">
<img class="h-5 w-5" alt="Mastodon logo" src="/assets/mastodon.svg">
</a>
</span>
</div>
</div>
</footer>
</div>
</body>
</html>

28
blog/feed.atom
View File

@@ -1,4 +1,24 @@
<?xml version="1.0" encoding="utf-8"?><feed xmlns="http://www.w3.org/2005/Atom" ><generator uri="https://jekyllrb.com/" version="4.4.1">Jekyll</generator><link href="/blog/feed.atom" rel="self" type="application/atom+xml" /><link href="/" rel="alternate" type="text/html" /><updated>2026-03-26T07:04:35+00:00</updated><id>/blog/feed.atom</id><title type="html">InvenTree</title><subtitle>InvenTree is an open-source inventory management system which provides intuitive parts management and stock control. It is at the center of an ecosystem of addins for EDA tools, API wrapper, deeply integrated plugins and 3rd party tools.</subtitle><entry><title type="html">1.2.0 Release</title><link href="/blog/2026/02/12/1.2.0" rel="alternate" type="text/html" title="1.2.0 Release" /><published>2026-02-12T00:00:00+00:00</published><updated>2026-02-12T00:00:00+00:00</updated><id>/blog/2026/02/12/1.2.0</id><content type="html" xml:base="/blog/2026/02/12/1.2.0"><![CDATA[<p>The InvenTree team is excited to announce the release of version 1.2.0. Attention: This release has no support for PostgreSQL 13 - our docs contain information regading <a href="https://docs.inventree.org/en/latest/start/migrate/#migrating-between-incompatible-database-versions">PostgreSQL updates</a>. At least PostgreSQL 14 is required, we recommend PostgreSQL 18.</p>
<?xml version="1.0" encoding="utf-8"?><feed xmlns="http://www.w3.org/2005/Atom" ><generator uri="https://jekyllrb.com/" version="4.4.1">Jekyll</generator><link href="/blog/feed.atom" rel="self" type="application/atom+xml" /><link href="/" rel="alternate" type="text/html" /><updated>2026-03-26T07:11:04+00:00</updated><id>/blog/feed.atom</id><title type="html">InvenTree</title><subtitle>InvenTree is an open-source inventory management system which provides intuitive parts management and stock control. It is at the center of an ecosystem of addins for EDA tools, API wrapper, deeply integrated plugins and 3rd party tools.</subtitle><entry><title type="html">Action required - Upcoming Security Release</title><link href="/blog/2026/03/25/security-release" rel="alternate" type="text/html" title="Action required - Upcoming Security Release" /><published>2026-03-25T00:00:00+00:00</published><updated>2026-03-25T00:00:00+00:00</updated><id>/blog/2026/03/25/security-release</id><content type="html" xml:base="/blog/2026/03/25/security-release"><![CDATA[<p>The InvenTree core development team has received a report of a <em>critical security vulnerability</em> affecting a large range of releases since 2024. We will release a disclosure and a fixed release for the 1.2.x release series on 2026-04-08 21:00 UTC.<br />
The vulnerability allows for lateral movement and privilege escalation within an InvenTree instance. It has a low attack complexity.</p>
<h2 id="steps-to-take-now">Steps to take now</h2>
<p>We are not aware of active exploitation of this vulnerability, but we recommend that users take the following steps to mitigate risks:</p>
<ul>
<li>Do <em>not</em> expose your InvenTree instance to the public internet without hardening steps as laid out in the <a href="https://docs.inventree.org/en/stable/concepts/threat_model/">threat model</a></li>
<li>Ensure <em>registration is disabled</em> till the release</li>
<li>Ensure you <em>trust all users registered</em> on your instance, especially those with staff or higher permissions</li>
</ul>
<p>The vulnerability has a low complexity and can be expected to be exploited once released. It is important to prepare to update or take your system off the public internet.</p>
<h2 id="security-policy">Security Policy</h2>
<p>As always with security related themes we remind all users, security researchers, and intrested parties of our <a href="https://inventree.readthedocs.io/en/stable/security/">security policy</a>.</p>
<p>If you have discovered a security vulnerability, please report it to us via the channels described in the policy. We take all reports seriously and will work to address any vulnerabilities in a timely manner.</p>
<p>We would like to thank the security researcher who reported this and several other vulnerabilities in a responsible manner, and we encourage others to do the same in the future. The reporter will be credited in the disclosure and CVE entry.</p>]]></content><author><name>matmair</name></author><summary type="html"><![CDATA[The InvenTree core development team has received a report of a critical security vulnerability affecting a large range of releases since 2024. We will release a disclosure and a fixed release for the 1.2.x release series on 2026-04-08 21:00 UTC. The vulnerability allows for lateral movement and privilege escalation within an InvenTree instance. It has a low attack complexity.]]></summary></entry><entry><title type="html">1.2.0 Release</title><link href="/blog/2026/02/12/1.2.0" rel="alternate" type="text/html" title="1.2.0 Release" /><published>2026-02-12T00:00:00+00:00</published><updated>2026-02-12T00:00:00+00:00</updated><id>/blog/2026/02/12/1.2.0</id><content type="html" xml:base="/blog/2026/02/12/1.2.0"><![CDATA[<p>The InvenTree team is excited to announce the release of version 1.2.0. Attention: This release has no support for PostgreSQL 13 - our docs contain information regading <a href="https://docs.inventree.org/en/latest/start/migrate/#migrating-between-incompatible-database-versions">PostgreSQL updates</a>. At least PostgreSQL 14 is required, we recommend PostgreSQL 18.</p>
<p>This release includes numerous new features, improvements, and bug fixes.</p>
@@ -849,8 +869,4 @@ Refer to the <a href="https://github.com/inventree/InvenTree/pull/8401">pull req
<ul>
<li><a href="/fund#github-sponsors">GitHub</a></li>
</ul>]]></content><author><name>SchrodingersGat</name></author><summary type="html"><![CDATA[The InvenTree team is proud to announce the release of InvenTree version 0.17.0! This is the most significant release of InvenTree to date, with a huge number of new features, bug fixes, and improvements. We have closed out over 400 pull requests against this release milestone, and received contributions from multiple developers including seven new contributors.]]></summary></entry><entry><title type="html">0.16.9 Release</title><link href="/blog/2024/11/30/0.16.9" rel="alternate" type="text/html" title="0.16.9 Release" /><published>2024-11-30T00:00:00+00:00</published><updated>2024-11-30T00:00:00+00:00</updated><id>/blog/2024/11/30/0.16.9</id><content type="html" xml:base="/blog/2024/11/30/0.16.9"><![CDATA[<p>We have just released version 0.16.9 which includes a number of patches and bug fixes.</p>
<h3 id="release-notes">Release Notes</h3>
<p>View the <a href="https://github.com/inventree/InvenTree/releases/tag/0.16.9">release notes</a> for more information.</p>]]></content><author><name>SchrodingersGat</name></author><summary type="html"><![CDATA[We have just released version 0.16.9 which includes a number of patches and bug fixes.]]></summary></entry></feed>
</ul>]]></content><author><name>SchrodingersGat</name></author><summary type="html"><![CDATA[The InvenTree team is proud to announce the release of InvenTree version 0.17.0! This is the most significant release of InvenTree to date, with a huge number of new features, bug fixes, and improvements. We have closed out over 400 pull requests against this release milestone, and received contributions from multiple developers including seven new contributors.]]></summary></entry></feed>