Skip to main content

Crater

6 CVEs product

Monthly

CVE-2026-14791 LOW POC Monitor

Cross-site scripting in Crater invoice application (up to v6.0.6) allows an authenticated attacker to inject malicious script payloads via the invoice notes field, executing in the browser of any user who subsequently views the crafted invoice. The vulnerable function getFormattedString in app/Http/Requests/InvoicesRequest.php performs insufficient neutralization of the notes argument, classified under CWE-79. A public proof-of-concept exploit exists; no vendor patch has been released as the project has not responded to the coordinated disclosure made via GitHub issue #1327.

XSS PHP Crater
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.2%
CVE-2023-46865 HIGH POC PATCH THREAT This Week

/api/v1/company/upload-logo in CompanyController.php in crater through 6.0.6 allows a superadmin to execute arbitrary PHP code by placing this code into an image/png IDAT chunk of a Company Logo. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

RCE Code Injection PHP Crater
NVD GitHub
CVSS 3.1
7.2
EPSS
20.3%
CVE-2022-1032 HIGH POC PATCH This Week

Insecure deserialization of not validated module file in GitHub repository crater-invoice/crater prior to 6.0.6. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Deserialization Crater
NVD GitHub
CVSS 3.1
7.2
EPSS
1.6%
CVE-2022-1033 HIGH POC PATCH This Week

Unrestricted Upload of File with Dangerous Type in GitHub repository crater-invoice/crater prior to 6.0.6. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available.

File Upload Crater
NVD GitHub
CVSS 3.1
7.8
EPSS
0.9%
CVE-2022-0515 MEDIUM POC PATCH This Month

Cross-Site Request Forgery (CSRF) in GitHub repository crater-invoice/crater prior to 6.0.4. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

CSRF Crater
NVD GitHub
CVSS 3.1
4.3
EPSS
0.4%
CVE-2022-0514 MEDIUM POC PATCH This Month

Business Logic Errors in GitHub repository crater-invoice/crater prior to 6.0.5. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Information Disclosure Crater
NVD GitHub
CVSS 3.1
6.5
EPSS
0.9%
EPSS 0% CVSS 2.0
LOW POC Monitor

Cross-site scripting in Crater invoice application (up to v6.0.6) allows an authenticated attacker to inject malicious script payloads via the invoice notes field, executing in the browser of any user who subsequently views the crafted invoice. The vulnerable function getFormattedString in app/Http/Requests/InvoicesRequest.php performs insufficient neutralization of the notes argument, classified under CWE-79. A public proof-of-concept exploit exists; no vendor patch has been released as the project has not responded to the coordinated disclosure made via GitHub issue #1327.

XSS PHP Crater
NVD VulDB GitHub
EPSS 20% CVSS 7.2
HIGH POC PATCH THREAT This Week

/api/v1/company/upload-logo in CompanyController.php in crater through 6.0.6 allows a superadmin to execute arbitrary PHP code by placing this code into an image/png IDAT chunk of a Company Logo. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

RCE Code Injection PHP +1
NVD GitHub
EPSS 2% CVSS 7.2
HIGH POC PATCH This Week

Insecure deserialization of not validated module file in GitHub repository crater-invoice/crater prior to 6.0.6. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Deserialization Crater
NVD GitHub
EPSS 1% CVSS 7.8
HIGH POC PATCH This Week

Unrestricted Upload of File with Dangerous Type in GitHub repository crater-invoice/crater prior to 6.0.6. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available.

File Upload Crater
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM POC PATCH This Month

Cross-Site Request Forgery (CSRF) in GitHub repository crater-invoice/crater prior to 6.0.4. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

CSRF Crater
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM POC PATCH This Month

Business Logic Errors in GitHub repository crater-invoice/crater prior to 6.0.5. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Information Disclosure Crater
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy