XSS Vulnerability in Invoice Ninja 5.13.0 by Invoice Ninja
CVE-2026-33628
5.4MEDIUM
What is CVE-2026-33628?
Invoice Ninja v5.13.0 exhibits a vulnerability where line item descriptions can bypass the XSS denylist filter, potentially allowing stored XSS payloads to be executed when invoices are rendered in the PDF preview or client portal. This vulnerability arises because the line item description field is not adequately sanitized, as it lacks a call to 'purify::clean()' before rendering. The issue has been addressed in version 5.13.4, where the vendor implemented necessary measures to properly sanitize input, enhancing application security.
Affected Version(s)
invoiceninja < 5.13.4
