{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33742", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-23T17:34:57.561Z", "datePublished": "2026-03-26T20:50:21.984Z", "dateUpdated": "2026-03-27T13:55:25.963Z"}, "containers": {"cna": {"title": "Invoice Ninja has Stored XSS via Markdown HTML Injection in Product Notes", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/invoiceninja/invoiceninja/security/advisories/GHSA-xph7-9749-56mh", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/invoiceninja/invoiceninja/security/advisories/GHSA-xph7-9749-56mh"}, {"name": "https://github.com/invoiceninja/invoiceninja/releases/tag/v5.13.4", "tags": ["x_refsource_MISC"], "url": "https://github.com/invoiceninja/invoiceninja/releases/tag/v5.13.4"}], "affected": [{"vendor": "invoiceninja", "product": "invoiceninja", "versions": [{"version": "< 5.13.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T20:50:21.984Z"}, "descriptions": [{"lang": "en", "value": "Invoice Ninja is a source-available invoice, quote, project and time-tracking app built with Laravel. Product notes fields in Invoice Ninja v5.13.0 allow raw HTML via Markdown rendering, enabling stored XSS. The Markdown parser output was not sanitized with `purify::clean()` before being included in invoice templates. This is fixed in v5.13.4 by the vendor by adding `purify::clean()` to sanitize Markdown output."}], "source": {"advisory": "GHSA-xph7-9749-56mh", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/invoiceninja/invoiceninja/security/advisories/GHSA-xph7-9749-56mh", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-27T13:33:33.494289Z", "id": "CVE-2026-33742", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T13:55:25.963Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33742", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-27T13:33:33.494289Z"}}}], "references": [{"url": "https://github.com/invoiceninja/invoiceninja/security/advisories/GHSA-xph7-9749-56mh", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T13:33:28.490Z"}}], "cna": {"title": "Invoice Ninja has Stored XSS via Markdown HTML Injection in Product Notes", "source": {"advisory": "GHSA-xph7-9749-56mh", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "invoiceninja", "product": "invoiceninja", "versions": [{"status": "affected", "version": "< 5.13.4"}]}], "references": [{"url": "https://github.com/invoiceninja/invoiceninja/security/advisories/GHSA-xph7-9749-56mh", "name": "https://github.com/invoiceninja/invoiceninja/security/advisories/GHSA-xph7-9749-56mh", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/invoiceninja/invoiceninja/releases/tag/v5.13.4", "name": "https://github.com/invoiceninja/invoiceninja/releases/tag/v5.13.4", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Invoice Ninja is a source-available invoice, quote, project and time-tracking app built with Laravel. Product notes fields in Invoice Ninja v5.13.0 allow raw HTML via Markdown rendering, enabling stored XSS. The Markdown parser output was not sanitized with `purify::clean()` before being included in invoice templates. This is fixed in v5.13.4 by the vendor by adding `purify::clean()` to sanitize Markdown output."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T20:50:21.984Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33742", "state": "PUBLISHED", "dateUpdated": "2026-03-27T13:55:25.963Z", "dateReserved": "2026-03-23T17:34:57.561Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-26T20:50:21.984Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:invoiceninja:invoice_ninja:*:*:*:*:*:*:*:*", "matchCriteriaId": "FC4B6AFE-F1E5-491A-8E54-A20207B38036", "versionEndExcluding": "5.13.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Invoice Ninja is a source-available invoice, quote, project and time-tracking app built with Laravel. Product notes fields in Invoice Ninja v5.13.0 allow raw HTML via Markdown rendering, enabling stored XSS. The Markdown parser output was not sanitized with `purify::clean()` before being included in invoice templates. This is fixed in v5.13.4 by the vendor by adding `purify::clean()` to sanitize Markdown output."}, {"lang": "es", "value": "Invoice Ninja es una aplicaci\u00f3n de facturaci\u00f3n, presupuestos, proyectos y seguimiento del tiempo de c\u00f3digo fuente disponible, construida con Laravel. Los campos de notas de producto en Invoice Ninja v5.13.0 permiten HTML en bruto a trav\u00e9s de la renderizaci\u00f3n de Markdown, lo que permite XSS almacenado. La salida del analizador de Markdown no fue saneada con 'purify::clean()' antes de ser incluida en las plantillas de factura. Esto se corrigi\u00f3 en la v5.13.4 por el proveedor al a\u00f1adir 'purify::clean()' para sanear la salida de Markdown."}], "id": "CVE-2026-33742", "lastModified": "2026-03-30T17:02:40.170", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-26T21:17:08.273", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/invoiceninja/invoiceninja/releases/tag/v5.13.4"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/invoiceninja/invoiceninja/security/advisories/GHSA-xph7-9749-56mh"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/invoiceninja/invoiceninja/security/advisories/GHSA-xph7-9749-56mh"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,5.13.4)"}}], "enrichment": {"confidence": 98.0, "confidence_source": "matching", "scores": [{"score": 98.0, "source": "matching"}]}, "original": {"product": "invoiceninja", "source": "cna", "vendor": "invoiceninja"}, "product": "invoice_ninja", "vendor": "invoiceninja"}], "analysis": {"en": {"generated_at": "2026-03-26T22:24:08.344109+00:00", "value": {"mitigation_remediation": ["Upgrade Invoice Ninja to version 5.13.4 or later.", "Avoid entering raw HTML or executable scripts in product notes when upgrading is not possible.", "Verify that Markdown output is sanitized if custom rendering is used."], "summary": {"action": "Immediate Patch", "impact": "Stored XSS enabling session hijack and data theft"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Invoice Ninja version 5.13.0 up through 5.13.3. Version 5.13.4 onward includes a sanitization fix with purify::clean().", "description_and_impact": "Invoice Ninja product notes accept raw HTML through Markdown rendering without sanitization. This allows an attacker to embed malicious scripts that are persisted and executed when the invoice is viewed, leading to cross\u2011site scripting execution.", "risk_and_exploitability": "The CVSS score of 5.4 indicates medium severity. EPSS data is unavailable, and the vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw by inserting malicious markup into product notes, which is stored and displayed to any authenticated user who views the affected invoice. The attack vector is inferred to be via authenticated creation or editing of product notes."}}}}, "created": "2026-03-27T08:31:55.867993+00:00", "updated": "2026-03-27T09:23:23.563205+00:00", "vendors": ["invoiceninja", "invoiceninja$PRODUCT$invoice_ninja"]}