CVE-2026-33628

5.4 MEDIUM
Published: March 26, 2026 Modified: March 30, 2026
View on NVD

Description

Invoice Ninja is a source-available invoice, quote, project and time-tracking app built with Laravel. Invoice line item descriptions in Invoice Ninja v5.13.0 bypass the XSS denylist filter, allowing stored XSS payloads to execute when invoices are rendered in the PDF preview or client portal. The line item description field was not passed through `purify::clean()` before rendering. This is fixed in v5.13.4 by the vendor by adding `purify::clean()` to sanitize line item descriptions.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://github.com/invoiceninja/invoiceninja/commit/b81a3fc302573fc4a53d61e8537dd19154ce1091
Source: security-advisories@github.com
Patch
https://github.com/invoiceninja/invoiceninja/releases/tag/v5.13.4
Source: security-advisories@github.com
Release Notes
https://github.com/invoiceninja/invoiceninja/security/advisories/GHSA-98wm-cxpw-847p
Source: security-advisories@github.com
Vendor Advisory
https://github.com/invoiceninja/invoiceninja/security/advisories/GHSA-98wm-cxpw-847p
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Vendor Advisory

4 reference(s) from NVD

Quick Stats

CVSS v3 Score
5.4 / 10.0
EPSS (Exploit Probability)
0.0%
12th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-79 CWE-116 CWE-184 CWE-79

Affected Vendors

invoiceninja

Related CVEs

CVE-2026-41304 N/A
CVE-2026-41144 N/A
CVE-2026-41136 N/A
CVE-2026-41135 7.5
CVE-2026-41133 8.8