Vulnerability-Lookup

Search criteria ⓘ Use full-text search for keyword queries.
Combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by dates instead of relevance.

Full-Text Search

Vendor

Product

Assigner

Sources

Sort by

Order

Apply ordering (override relevance)

Related vulnerabilities

GHSA-98WM-CXPW-847P

Vulnerability from github – Published: 2026-03-24 20:40 – Updated: 2026-03-24 20:40

Summary

Invoice Ninja Denylist Bypass may Lead to Stored XSS via Invoice Line Items

Details

Vulnerability Details

Invoice line item descriptions in Invoice Ninja v5.13.0 bypass the XSS denylist filter, allowing stored XSS payloads to execute when invoices are rendered in the PDF preview or client portal.

The line item description field was not passed through purify::clean() before rendering.

Steps to Reproduce

Login as any authenticated user
Create or edit an invoice
In a line item description, enter: <img src=x onerror=alert(document.cookie)>
Save the invoice and preview it
The XSS payload executes in the browser

Impact

Attacker: Any authenticated user who can create invoices
Victim: Any user viewing the invoice (including clients via the portal)
Specific damage: Session hijacking, account takeover, data exfiltration

Proposed Fix

Fixed in v5.13.4 by the vendor by adding purify::clean() to sanitize line item descriptions.

Severity ?

5.4 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "invoiceninja/invoiceninja"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.13.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33628"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-116",
      "CWE-184",
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-24T20:40:16Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Vulnerability Details\n\nInvoice line item descriptions in Invoice Ninja v5.13.0 bypass the XSS denylist filter, allowing stored XSS payloads to execute when invoices are rendered in the PDF preview or client portal.\n\nThe line item description field was not passed through `purify::clean()` before rendering.\n\n## Steps to Reproduce\n\n1. Login as any authenticated user\n2. Create or edit an invoice\n3. In a line item description, enter: `\u003cimg src=x onerror=alert(document.cookie)\u003e`\n4. Save the invoice and preview it\n5. The XSS payload executes in the browser\n\n## Impact\n\n- **Attacker**: Any authenticated user who can create invoices\n- **Victim**: Any user viewing the invoice (including clients via the portal)\n- **Specific damage**: Session hijacking, account takeover, data exfiltration\n\n## Proposed Fix\n\nFixed in v5.13.4 by the vendor by adding `purify::clean()` to sanitize line item descriptions.",
  "id": "GHSA-98wm-cxpw-847p",
  "modified": "2026-03-24T20:40:16Z",
  "published": "2026-03-24T20:40:16Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/invoiceninja/invoiceninja/security/advisories/GHSA-98wm-cxpw-847p"
    },
    {
      "type": "WEB",
      "url": "https://github.com/invoiceninja/invoiceninja/commit/b81a3fc302573fc4a53d61e8537dd19154ce1091"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/invoiceninja/invoiceninja"
    },
    {
      "type": "WEB",
      "url": "https://github.com/invoiceninja/invoiceninja/releases/tag/v5.13.4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Invoice Ninja Denylist Bypass may Lead to Stored XSS via Invoice Line Items"
}