Skip to main content

SolidInvoice EUVD-2026-36303

| CVE-2026-46489 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-06-11 GitHub_M
XSS Solidinvoice
8.1
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
8.1 HIGH
AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N
vuln.today AI
8.1 HIGH

Network-reachable admin upload (AV:N/AC:L/PR:H), victim must load a page (UI:R), payload executes in other users' browser context (S:C) compromising session confidentiality and integrity (C:H/I:H), no availability impact.

3.1 AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

3
Patch available
Jun 11, 2026 - 21:02 EUVD
Source Code Evidence Fetched
Jun 11, 2026 - 20:22 vuln.today
Analysis Generated
Jun 11, 2026 - 20:22 vuln.today

DescriptionCVE.org

SolidInvoice is an open-source invoicing platform. Prior to version 2.3.17, the company logo upload feature accepts any file type without validation. An authenticated administrator can upload an SVG file containing embedded JavaScript. This script is base64-encoded and injected unescaped into every page of the application, causing stored cross-site scripting (XSS) that executes in every authenticated user's browser. This issue has been patched in version 2.3.17.

AnalysisAI

Stored cross-site scripting in SolidInvoice prior to 2.3.17 allows an authenticated administrator to upload a malicious SVG as the company logo, with the file's contents being base64-encoded and injected unescaped into every page of the application. The embedded JavaScript executes in every authenticated user's browser session, enabling session hijacking and privileged action abuse across the tenant. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain admin credentials
Delivery
Access logo upload settings
Exploit
Upload SVG with embedded JavaScript
Execution
Victim loads authenticated page
Persist
Base64 payload decoded and executed
Impact
Steal session or perform privileged actions
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated SolidInvoice administrator account with permission to access the company logo upload feature in settings, and a second authenticated user must subsequently load any page of the application for the injected script to fire (UI:R). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N reflects a network-reachable, low-complexity attack that nonetheless requires a high-privilege (administrator) account and a victim to load an authenticated page, with a scope change because the payload affects other users' browser contexts. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained or already holds a SolidInvoice administrator account navigates to company settings and uploads an SVG file containing a <script> element that exfiltrates session cookies or invokes authenticated API endpoints. Any other administrator, accountant, or user who subsequently loads an authenticated page renders the logo, the base64-decoded SVG executes in their browser, and the attacker harvests session tokens or pivots to actions such as creating fraudulent invoices or changing payment details. …
Remediation Vendor-released patch: upgrade SolidInvoice to version 2.3.17 or later, which contains the fix at commit 8196c64df58b1226739f6ec4097fd6e7ba757860 and is published at https://github.com/SolidInvoice/SolidInvoice/releases/tag/2.3.17; review the advisory at https://github.com/SolidInvoice/SolidInvoice/security/advisories/GHSA-mqwm-r4g8-wf4w. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: disable SVG logo uploads and restrict administrative access to essential personnel. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-46622 HIGH
8.1 Jun 11

Plaintext credential exposure in SolidInvoice open-source invoicing platform prior to 2.3.17 allows any actor with read

Share

EUVD-2026-36303 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy