Stored XSS Vulnerability in Invoice Ninja by Invoice Ninja
CVE-2026-33742
5.4MEDIUM
What is CVE-2026-33742?
Invoice Ninja, an open-source invoice, quote, project, and time-tracking application built with Laravel, contains a vulnerability that allows stored XSS due to unsanitized HTML in markdown-rendered product notes fields in version 5.13.0. The lack of proper sanitation using purify::clean() when processing Markdown output in invoice templates opens the door for potential attack vectors, enabling malicious users to inject harmful scripts. This vulnerability has been addressed in version 5.13.4, where purify::clean() has been implemented to properly sanitize markdown output, enhancing the security of the application.
Affected Version(s)
invoiceninja < 5.13.4
