XSS Vulnerability in Invoice Ninja 5.13.0 by Invoice Ninja
CVE-2026-33628

5.4MEDIUM

Key Information:

Vendor
CVE Published:
26 March 2026

What is CVE-2026-33628?

Invoice Ninja v5.13.0 exhibits a vulnerability where line item descriptions can bypass the XSS denylist filter, potentially allowing stored XSS payloads to be executed when invoices are rendered in the PDF preview or client portal. This vulnerability arises because the line item description field is not adequately sanitized, as it lacks a call to 'purify::clean()' before rendering. The issue has been addressed in version 5.13.4, where the vendor implemented necessary measures to properly sanitize input, enhancing application security.

Affected Version(s)

invoiceninja < 5.13.4

References

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.