CVE-2026-33628

MEDIUM
2026-03-24 https://github.com/invoiceninja/invoiceninja
5.4
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
Analysis Generated
Mar 24, 2026 - 20:45 vuln.today
Patch Released
Mar 24, 2026 - 20:45 nvd
Patch available
CVE Published
Mar 24, 2026 - 20:40 nvd
MEDIUM 5.4

Tags

XSS

Description

## Vulnerability Details Invoice line item descriptions in Invoice Ninja v5.13.0 bypass the XSS denylist filter, allowing stored XSS payloads to execute when invoices are rendered in the PDF preview or client portal. The line item description field was not passed through `purify::clean()` before rendering. ## Steps to Reproduce 1. Login as any authenticated user 2. Create or edit an invoice 3. In a line item description, enter: `<img src=x onerror=alert(document.cookie)>` 4. Save the invoice and preview it 5. The XSS payload executes in the browser ## Impact - **Attacker**: Any authenticated user who can create invoices - **Victim**: Any user viewing the invoice (including clients via the portal) - **Specific damage**: Session hijacking, account takeover, data exfiltration ## Proposed Fix Fixed in v5.13.4 by the vendor by adding `purify::clean()` to sanitize line item descriptions.

Analysis

Invoice Ninja v5.13.0 and earlier contain a stored cross-site scripting (XSS) vulnerability in invoice line item descriptions that bypass the application's XSS denylist filter, allowing authenticated attackers to inject malicious JavaScript that executes when invoices are viewed in PDF preview or the client portal. Any authenticated user can create or modify invoices to inject payloads such as `<img src=x onerror=alert(document.cookie)>`, and victims viewing the invoice-including clients with lower privilege levels-will have the payload execute in their browser context, enabling session hijacking, account takeover, and data exfiltration. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Remediation

Within 30 days: Identify affected systems running Invoice Ninja and apply vendor patches as part of regular patch cycle. Verify Content-Security-Policy and output encoding.

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Priority Score

27
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +27
POC: 0

Share

CVE-2026-33628 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy