Stored XSS Vulnerability in Invoice Ninja by Invoice Ninja
CVE-2026-33742

5.4MEDIUM

Key Information:

Vendor
CVE Published:
26 March 2026

What is CVE-2026-33742?

Invoice Ninja, an open-source invoice, quote, project, and time-tracking application built with Laravel, contains a vulnerability that allows stored XSS due to unsanitized HTML in markdown-rendered product notes fields in version 5.13.0. The lack of proper sanitation using purify::clean() when processing Markdown output in invoice templates opens the door for potential attack vectors, enabling malicious users to inject harmful scripts. This vulnerability has been addressed in version 5.13.4, where purify::clean() has been implemented to properly sanitize markdown output, enhancing the security of the application.

Affected Version(s)

invoiceninja < 5.13.4

References

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.