{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33628", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-23T14:24:11.617Z", "datePublished": "2026-03-26T20:48:45.739Z", "dateUpdated": "2026-03-27T13:55:36.614Z"}, "containers": {"cna": {"title": "Invoice Ninja Denylist Bypass may Lead to Stored XSS via Invoice Line Items", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-116", "lang": "en", "description": "CWE-116: Improper Encoding or Escaping of Output", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-184", "lang": "en", "description": "CWE-184: Incomplete List of Disallowed Inputs", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/invoiceninja/invoiceninja/security/advisories/GHSA-98wm-cxpw-847p", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/invoiceninja/invoiceninja/security/advisories/GHSA-98wm-cxpw-847p"}, {"name": "https://github.com/invoiceninja/invoiceninja/commit/b81a3fc302573fc4a53d61e8537dd19154ce1091", "tags": ["x_refsource_MISC"], "url": "https://github.com/invoiceninja/invoiceninja/commit/b81a3fc302573fc4a53d61e8537dd19154ce1091"}, {"name": "https://github.com/invoiceninja/invoiceninja/releases/tag/v5.13.4", "tags": ["x_refsource_MISC"], "url": "https://github.com/invoiceninja/invoiceninja/releases/tag/v5.13.4"}], "affected": [{"vendor": "invoiceninja", "product": "invoiceninja", "versions": [{"version": "< 5.13.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T20:48:45.739Z"}, "descriptions": [{"lang": "en", "value": "Invoice Ninja is a source-available invoice, quote, project and time-tracking app built with Laravel. Invoice line item descriptions in Invoice Ninja v5.13.0 bypass the XSS denylist filter, allowing stored XSS payloads to execute when invoices are rendered in the PDF preview or client portal. The line item description field was not passed through `purify::clean()` before rendering. This is fixed in v5.13.4 by the vendor by adding `purify::clean()` to sanitize line item descriptions."}], "source": {"advisory": "GHSA-98wm-cxpw-847p", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/invoiceninja/invoiceninja/security/advisories/GHSA-98wm-cxpw-847p", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-27T13:34:13.647878Z", "id": "CVE-2026-33628", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T13:55:36.614Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33628", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-27T13:34:13.647878Z"}}}], "references": [{"url": "https://github.com/invoiceninja/invoiceninja/security/advisories/GHSA-98wm-cxpw-847p", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T13:34:04.471Z"}}], "cna": {"title": "Invoice Ninja Denylist Bypass may Lead to Stored XSS via Invoice Line Items", "source": {"advisory": "GHSA-98wm-cxpw-847p", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "invoiceninja", "product": "invoiceninja", "versions": [{"status": "affected", "version": "< 5.13.4"}]}], "references": [{"url": "https://github.com/invoiceninja/invoiceninja/security/advisories/GHSA-98wm-cxpw-847p", "name": "https://github.com/invoiceninja/invoiceninja/security/advisories/GHSA-98wm-cxpw-847p", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/invoiceninja/invoiceninja/commit/b81a3fc302573fc4a53d61e8537dd19154ce1091", "name": "https://github.com/invoiceninja/invoiceninja/commit/b81a3fc302573fc4a53d61e8537dd19154ce1091", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/invoiceninja/invoiceninja/releases/tag/v5.13.4", "name": "https://github.com/invoiceninja/invoiceninja/releases/tag/v5.13.4", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Invoice Ninja is a source-available invoice, quote, project and time-tracking app built with Laravel. Invoice line item descriptions in Invoice Ninja v5.13.0 bypass the XSS denylist filter, allowing stored XSS payloads to execute when invoices are rendered in the PDF preview or client portal. The line item description field was not passed through `purify::clean()` before rendering. This is fixed in v5.13.4 by the vendor by adding `purify::clean()` to sanitize line item descriptions."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-116", "description": "CWE-116: Improper Encoding or Escaping of Output"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-184", "description": "CWE-184: Incomplete List of Disallowed Inputs"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T20:48:45.739Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33628", "state": "PUBLISHED", "dateUpdated": "2026-03-27T13:55:36.614Z", "dateReserved": "2026-03-23T14:24:11.617Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-26T20:48:45.739Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:invoiceninja:invoice_ninja:*:*:*:*:*:*:*:*", "matchCriteriaId": "FC4B6AFE-F1E5-491A-8E54-A20207B38036", "versionEndExcluding": "5.13.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Invoice Ninja is a source-available invoice, quote, project and time-tracking app built with Laravel. Invoice line item descriptions in Invoice Ninja v5.13.0 bypass the XSS denylist filter, allowing stored XSS payloads to execute when invoices are rendered in the PDF preview or client portal. The line item description field was not passed through `purify::clean()` before rendering. This is fixed in v5.13.4 by the vendor by adding `purify::clean()` to sanitize line item descriptions."}, {"lang": "es", "value": "Invoice Ninja es una aplicaci\u00f3n de facturaci\u00f3n, presupuestos, proyectos y seguimiento del tiempo de c\u00f3digo fuente disponible, construida con Laravel. Las descripciones de las l\u00edneas de art\u00edculos de las facturas en Invoice Ninja v5.13.0 eluden el filtro de denylist de XSS, permitiendo que las cargas \u00fatiles de XSS almacenadas se ejecuten cuando las facturas se renderizan en la vista previa de PDF o en el portal del cliente. El campo de descripci\u00f3n de la l\u00ednea de art\u00edculo no se pas\u00f3 por 'purify::clean()' antes de la renderizaci\u00f3n. Esto se corrigi\u00f3 en la v5.13.4 por el proveedor al a\u00f1adir 'purify::clean()' para sanear las descripciones de las l\u00edneas de art\u00edculos."}], "id": "CVE-2026-33628", "lastModified": "2026-03-30T17:24:09.000", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-26T21:17:07.113", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/invoiceninja/invoiceninja/commit/b81a3fc302573fc4a53d61e8537dd19154ce1091"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/invoiceninja/invoiceninja/releases/tag/v5.13.4"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/invoiceninja/invoiceninja/security/advisories/GHSA-98wm-cxpw-847p"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Vendor Advisory"], "url": "https://github.com/invoiceninja/invoiceninja/security/advisories/GHSA-98wm-cxpw-847p"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-116"}, {"lang": "en", "value": "CWE-184"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,5.13.4)"}}], "enrichment": {"confidence": 98.0, "confidence_source": "matching", "scores": [{"score": 98.0, "source": "matching"}]}, "original": {"product": "invoiceninja", "source": "cna", "vendor": "invoiceninja"}, "product": "invoice_ninja", "vendor": "invoiceninja"}], "analysis": {"en": {"generated_at": "2026-03-26T22:24:19.804966+00:00", "value": {"mitigation_remediation": ["Apply the official patch by upgrading to Invoice Ninja v5.13.4 or later, which restores sanitisation of line item descriptions.", "If an upgrade is not immediately feasible, limit invoice creation and PDF preview access to trusted users only and consider disabling those features until the patch is applied.", "Verify that the running instance no longer serves unsanitised line item content by attempting to add a test invoice with a simple script tag.", "Monitor the application logs and client portal access for any signs of unintended script execution or session hijacking events."], "summary": {"action": "Patch Now", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Invoice Ninja application, specifically versions 5.13.0 through 5.13.3. It is tied to the invoice line item description field and is fixed in version 5.13.4, where purify::clean() sanitisation is applied. Users of any earlier release of the open\u2011source Invoice Ninja project are therefore impacted.", "description_and_impact": "Invoice Ninja v5.13.0 introduced a flaw where line item descriptions were not passed through the purify::clean() function before rendering, allowing malicious JavaScript to be injected into invoices. When a victim views the invoice PDF preview or accesses the client portal, the embedded script executes in their browser, potentially stealing session cookies or performing other unauthorized actions. This is a classic stored XSS defect, identified by CWE\u201179 and related to improper input validation (CWE\u2011116, CWE\u2011184).", "risk_and_exploitability": "The CVSS base score rates the flaw as medium (5.4). EPSS data is unavailable, and the vulnerability is not listed in CISA\u2019s KEV catalogue. Exploitation requires an attacker to submit or modify an invoice line item, which is typically performed by authenticated staff or administrators. Once the malicious payload is stored, any user who opens the invoice in the PDF preview or client portal will be exposed to the injected JavaScript. The risk is therefore moderate, with the main threat being the potential compromise of client accounts or unintended script execution in the application."}}}}, "created": "2026-03-27T08:31:56.745078+00:00", "updated": "2026-03-27T09:23:24.528258+00:00", "vendors": ["invoiceninja", "invoiceninja$PRODUCT$invoice_ninja"]}