Cross-Site Scripting Vulnerability in Crater Invoice by Crater-Invoice-Inc
CVE-2026-14791
Key Information:
- Vendor
Crater-invoice-inc
- Status
- Vendor
- CVE Published:
- 6 July 2026
Badges
What is CVE-2026-14791?
A security weakness has been discovered in the Crater Invoice application, specifically within the getFormattedString function of the InvoicesRequest.php file. This vulnerability allows an attacker to manipulate the argument used in the invoicing notes, potentially leading to cross-site scripting (XSS) attacks. The exploitation of this flaw can be conducted remotely. Despite early notifications about the issue through an issue report, the Crater team has yet to address the vulnerability. The exploit details have been made public, heightening security concerns for users of the application.
Affected Version(s)
crater 6.0.0
crater 6.0.1
crater 6.0.2
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
CVSS V4
Timeline
- ๐ก
Public PoC available
- ๐พ
Exploit known to exist
Vulnerability published
Vulnerability Reserved
