Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
4DescriptionGitHub Advisory
Invoice Ninja is a source-available invoice, quote, project and time-tracking app built with Laravel. Product notes fields in Invoice Ninja v5.13.0 allow raw HTML via Markdown rendering, enabling stored XSS. The Markdown parser output was not sanitized with purify::clean() before being included in invoice templates. This is fixed in v5.13.4 by the vendor by adding purify::clean() to sanitize Markdown output.
AnalysisAI
Stored cross-site scripting (XSS) in Invoice Ninja v5.13.0 through v5.13.3 allows authenticated attackers with product notes field access to inject and execute arbitrary JavaScript in invoice templates via unvalidated Markdown rendering. The vulnerability affects all Invoice Ninja instances running affected versions where the Markdown parser output bypasses HTML sanitization, enabling session hijacking, credential theft, or malicious template manipulation for other users viewing invoices. A vendor-released patch (v5.13.4) addresses this by implementing purify::clean() sanitization on Markdown output.
Technical ContextAI
Invoice Ninja is a Laravel-based invoicing application (CPE: cpe:2.3:a:invoiceninja:invoiceninja) that processes product notes fields through a Markdown rendering pipeline. The vulnerability stems from CWE-79 (Improper Neutralization of Input During Web Page Generation), specifically the failure to sanitize Markdown parser output before template inclusion. The application used Markdown conversion to render rich text in product notes but did not subsequently pass the HTML output through purification routines. This is a classic second-order XSS pattern where user-controlled Markdown input is converted to HTML and then embedded in templates without Content Security Policy or HTML entity encoding protections. The fix implements the purify::clean() function, which is a standard Laravel/PHP HTML sanitization utility that strips potentially dangerous tags and attributes while preserving safe formatting.
RemediationAI
Upgrade Invoice Ninja to version v5.13.4 or later immediately. This patched release adds purify::clean() sanitization to Markdown output in product notes fields. If immediate upgrade is not feasible, implement a temporary Content Security Policy (CSP) header set to script-src 'none' or restrict to 'self' only to mitigate stored XSS impact, and audit recent invoice templates for injected script tags. Additionally, restrict access to product notes editing fields to trusted administrative users only, and educate users not to paste untrusted content into product notes fields. See the vendor advisory at https://github.com/invoiceninja/invoiceninja/security/advisories/GHSA-xph7-9749-56mh for deployment guidance.
More in Invoiceninja
View allSame weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-16418