Invoice Ninja CVE-2026-33628
MEDIUMSeverity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Vulnerability Details
Invoice line item descriptions in Invoice Ninja v5.13.0 bypass the XSS denylist filter, allowing stored XSS payloads to execute when invoices are rendered in the PDF preview or client portal.
The line item description field was not passed through purify::clean() before rendering.
Steps to Reproduce
- Login as any authenticated user
- Create or edit an invoice
- In a line item description, enter:
<img src=x onerror=alert(document.cookie)> - Save the invoice and preview it
- The XSS payload executes in the browser
Impact
- Attacker: Any authenticated user who can create invoices
- Victim: Any user viewing the invoice (including clients via the portal)
- Specific damage: Session hijacking, account takeover, data exfiltration
Proposed Fix
Fixed in v5.13.4 by the vendor by adding purify::clean() to sanitize line item descriptions.
AnalysisAI
Invoice Ninja v5.13.0 and earlier contain a stored cross-site scripting (XSS) vulnerability in invoice line item descriptions that bypass the application's XSS denylist filter, allowing authenticated attackers to inject malicious JavaScript that executes when invoices are viewed in PDF preview or the client portal. Any authenticated user can create or modify invoices to inject payloads such as <img src=x onerror=alert(document.cookie)>, and victims viewing the invoice-including clients with lower privilege levels-will have the payload execute in their browser context, enabling session hijacking, account takeover, and data exfiltration. A patch is available in v5.13.4 via the vendor's GitHub repository.
Technical ContextAI
Invoice Ninja (CPE: pkg:composer/invoiceninja_invoiceninja) is a self-hosted or cloud-based invoicing application written in PHP. The vulnerability stems from a failure to sanitize user input in the line item description field before rendering it in HTML contexts (PDF preview and client portal). The root cause is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), a classic stored XSS flaw where user-controlled data is reflected without proper encoding or filtering. The vendor's denylist-based XSS filter (likely a custom or outdated implementation) failed to catch HTML event handlers embedded in image tags. The fix, implemented in commit b81a3fc302573fc4a53d61e8537dd19154ce1091, introduces the purify::clean() function—presumably a reference to HTMLPurifier or similar whitelist-based sanitization library—to properly neutralize HTML markup before rendering.
RemediationAI
Immediately upgrade Invoice Ninja to v5.13.4 or later, available from the official GitHub releases page (https://github.com/invoiceninja/invoiceninja/releases/tag/v5.13.4). If immediate patching is not feasible, implement temporary controls: restrict invoice creation and editing permissions to highly trusted administrators only, disable client portal access until patching is complete, and audit existing invoices for injected payloads (search line item descriptions for HTML event handlers or script tags). Additionally, implement a web application firewall (WAF) rule to block requests containing suspicious HTML/JavaScript patterns in the line item description parameter. Review the security patch commit (b81a3fc302573fc4a53d61e8537dd19154ce1091) to understand the fix if custom sanitization is needed.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today