Skip to main content

Invoiceninja EUVDEUVD-2026-16418

| CVE-2026-33742 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-03-26 GitHub_M
5.4
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
5.13.4
EUVD ID Assigned
Mar 26, 2026 - 21:16 euvd
EUVD-2026-16418
Analysis Generated
Mar 26, 2026 - 21:16 vuln.today
CVE Published
Mar 26, 2026 - 20:50 nvd
MEDIUM 5.4

DescriptionGitHub Advisory

Invoice Ninja is a source-available invoice, quote, project and time-tracking app built with Laravel. Product notes fields in Invoice Ninja v5.13.0 allow raw HTML via Markdown rendering, enabling stored XSS. The Markdown parser output was not sanitized with purify::clean() before being included in invoice templates. This is fixed in v5.13.4 by the vendor by adding purify::clean() to sanitize Markdown output.

AnalysisAI

Stored cross-site scripting (XSS) in Invoice Ninja v5.13.0 through v5.13.3 allows authenticated attackers with product notes field access to inject and execute arbitrary JavaScript in invoice templates via unvalidated Markdown rendering. The vulnerability affects all Invoice Ninja instances running affected versions where the Markdown parser output bypasses HTML sanitization, enabling session hijacking, credential theft, or malicious template manipulation for other users viewing invoices. A vendor-released patch (v5.13.4) addresses this by implementing purify::clean() sanitization on Markdown output.

Technical ContextAI

Invoice Ninja is a Laravel-based invoicing application (CPE: cpe:2.3:a:invoiceninja:invoiceninja) that processes product notes fields through a Markdown rendering pipeline. The vulnerability stems from CWE-79 (Improper Neutralization of Input During Web Page Generation), specifically the failure to sanitize Markdown parser output before template inclusion. The application used Markdown conversion to render rich text in product notes but did not subsequently pass the HTML output through purification routines. This is a classic second-order XSS pattern where user-controlled Markdown input is converted to HTML and then embedded in templates without Content Security Policy or HTML entity encoding protections. The fix implements the purify::clean() function, which is a standard Laravel/PHP HTML sanitization utility that strips potentially dangerous tags and attributes while preserving safe formatting.

RemediationAI

Upgrade Invoice Ninja to version v5.13.4 or later immediately. This patched release adds purify::clean() sanitization to Markdown output in product notes fields. If immediate upgrade is not feasible, implement a temporary Content Security Policy (CSP) header set to script-src 'none' or restrict to 'self' only to mitigate stored XSS impact, and audit recent invoice templates for injected script tags. Additionally, restrict access to product notes editing fields to trusted administrative users only, and educate users not to paste untrusted content into product notes fields. See the vendor advisory at https://github.com/invoiceninja/invoiceninja/security/advisories/GHSA-xph7-9749-56mh for deployment guidance.

Share

EUVD-2026-16418 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy