{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-29925", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-03-30T19:16:34.202Z", "dateReserved": "2026-03-04T00:00:00.000Z", "datePublished": "2026-03-30T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-30T18:31:17.904Z"}, "descriptions": [{"lang": "en", "value": "Invoice Ninja v5.12.46 and v5.12.48 is vulnerable to Server-Side Request Forgery (SSRF) in CheckDatabaseRequest.php."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/invoiceninja/invoiceninja/blob/v5-stable/app/Http/Requests/Setup/CheckDatabaseRequest.php"}, {"url": "https://gist.github.com/TrekLaps/5b2c72106d950dab0cd1897eb93200f1"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-918", "lang": "en", "description": "CWE-918 Server-Side Request Forgery (SSRF)"}]}], "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-30T19:15:40.631132Z", "id": "CVE-2026-29925", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T19:16:34.202Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-29925", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-30T19:15:40.631132Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918 Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T19:14:39.547Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/invoiceninja/invoiceninja/blob/v5-stable/app/Http/Requests/Setup/CheckDatabaseRequest.php"}, {"url": "https://gist.github.com/TrekLaps/5b2c72106d950dab0cd1897eb93200f1"}], "descriptions": [{"lang": "en", "value": "Invoice Ninja v5.12.46 and v5.12.48 is vulnerable to Server-Side Request Forgery (SSRF) in CheckDatabaseRequest.php."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-30T18:31:17.904Z"}}}, "cveMetadata": {"cveId": "CVE-2026-29925", "state": "PUBLISHED", "dateUpdated": "2026-03-30T19:16:34.202Z", "dateReserved": "2026-03-04T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-03-30T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:invoiceninja:invoice_ninja:5.12.46:*:*:*:*:*:*:*", "matchCriteriaId": "4D0D28CD-2E25-4683-B2D6-FBD588FC2E3D", "vulnerable": true}, {"criteria": "cpe:2.3:a:invoiceninja:invoice_ninja:5.12.48:*:*:*:*:*:*:*", "matchCriteriaId": "695ED6F6-1370-4C23-A2C7-562BCE1A236E", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Invoice Ninja v5.12.46 and v5.12.48 is vulnerable to Server-Side Request Forgery (SSRF) in CheckDatabaseRequest.php."}, {"lang": "es", "value": "Invoice Ninja v5.12.46 y v5.12.48 es vulnerable a falsificaci\u00f3n de petici\u00f3n del lado del servidor (SSRF) en CheckDatabaseRequest.php."}], "id": "CVE-2026-29925", "lastModified": "2026-04-02T16:58:36.137", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 4.0, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-30T19:16:24.600", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://gist.github.com/TrekLaps/5b2c72106d950dab0cd1897eb93200f1"}, {"source": "cve@mitre.org", "tags": ["Product"], "url": "https://github.com/invoiceninja/invoiceninja/blob/v5-stable/app/Http/Requests/Setup/CheckDatabaseRequest.php"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[5.12.46,5.12.48]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "invoice_ninja", "vendor": "invoiceninja"}], "analysis": {"en": {"generated_at": "2026-04-02T22:10:07.654221+00:00", "value": {"mitigation_remediation": ["Upgrade Invoice Ninja to a version where the SSRF in CheckDatabaseRequest.php has been fixed, such as the most recent release beyond 5.12.48", "If an upgrade is not immediately possible, restrict access to the Setup/CheckDatabase endpoint to trusted administrators or block it entirely", "Monitor the application's outbound network activity for unexpected or suspicious connections originating from the application"], "summary": {"action": "Patch Immediately", "impact": "Server\u2011Side Request Forgery allows arbitrary outbound requests from the server"}, "threat_synthesis": {"affected_systems": "The affected product is Invoice Ninja, specifically versions 5.12.46 and 5.12.48. No alternate vendors or product lines are noted as impacted.", "description_and_impact": "The vulnerability resides in the CheckDatabaseRequest.php file of Invoice Ninja and permits a server\u2011side request forgery. By manipulating the request, an attacker can instruct the server to send HTTP or other protocol requests to arbitrary destinations. This can be used to reach internal networks, disclose internal resources, or interact with services that are otherwise not exposed externally. The weakness is classified as CWE\u2011918 and does not directly grant code execution, but it can serve as a stepping\u2011stone to further attacks.", "risk_and_exploitability": "The CVSS score of 7.7 denotes a high severity level. The EPSS score of less than 1% suggests that, as of now, the likelihood of exploitation is low, and the vulnerability is not listed in the CISA KEV catalog. The most probable attack vector involves a remote attacker sending a crafted request to the Setup/CheckDatabase endpoint. If the endpoint is reachable from the public internet or to authenticated users, an attacker could leverage the SSRF to exfiltrate data or reach internal services, potentially leading to a broader compromise. The overall risk depends on the exposure level of the vulnerable endpoint."}}}}, "created": "2026-03-30T20:56:15.916452+00:00", "updated": "2026-04-03T09:38:21.033779+00:00", "vendors": ["invoiceninja", "invoiceninja$PRODUCT$invoice_ninja"]}