CVE-2026-33628

EPSS 0.23%
Veröffentlicht 26.03.2026 20:48:45
Zuletzt bearbeitet 30.03.2026 17:24:09
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Invoice Ninja Denylist Bypass may Lead to Stored XSS via Invoice Line Items

Invoice Ninja is a source-available invoice, quote, project and time-tracking app built with Laravel. Invoice line item descriptions in Invoice Ninja v5.13.0 bypass the XSS denylist filter, allowing stored XSS payloads to execute when invoices are rendered in the PDF preview or client portal. The line item description field was not passed through `purify::clean()` before rendering. This is fixed in v5.13.4 by the vendor by adding `purify::clean()` to sanitize line item descriptions.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 3 Referenzen 6

NVD 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Invoiceninja ≫ Invoice Ninja Version < 5.13.4

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.23%	0.137

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	5.4	2.3	2.7	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE-116 Improper Encoding or Escaping of Output

The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

CWE-184 Incomplete List of Disallowed Inputs

The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete.

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://github.com/invoiceninja/invoiceninja/security/advisories/GHSA-98wm-cxpw-847p

Vendor Advisory

https://github.com/invoiceninja/invoiceninja/commit/b81a3fc302573fc4a53d61e8537dd19154ce1091

Patch

https://github.com/invoiceninja/invoiceninja/releases/tag/v5.13.4

Release Notes

https://nvd.nist.gov/vuln/detail/CVE-2026-33628

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-33628

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-33628

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-33628