Description
A weakness has been identified in crater-invoice-inc crater up to 6.0.6. This affects the function getFormattedString of the file app/Http/Requests/InvoicesRequest.php of the component Invoice Note Handler. Executing a manipulation of the argument notes can lead to cross site scripting. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-07-06
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A weakness exists in crater‑invoice‑inc crater up to version 6.0.6. The vulnerability resides in the getFormattedString function of app/Http/Requests/InvoicesRequest.php within the Invoice Note Handler component. By manipulating the notes argument, an attacker can inject malicious scripts, leading to a cross‑site scripting (XSS) condition. The attack vector is remote, as the exploit can be triggered over HTTP by supplying crafted input.

Affected Systems

The affected product is crater‑invoice‑inc crater. Versions through 6.0.6 are vulnerable; later releases are presumed to have the fix applied, but only the CVE specifies that the issue is present up to 6.0.6. No other vendors or products are listed.

Risk and Exploitability

The CVSS score of 5.1 indicates a moderate risk. The EPSS score of 0.00203 indicates a very low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog, yet an exploit is publicly available. Because the flaw allows arbitrary client‑side script execution, it can be used to deface pages, harvest session cookies, or execute phishing attacks. Even though the impact is limited to the victim’s browser, the convenience of remote exploitation increases its real‑world threat.

Generated by OpenCVE AI on July 6, 2026 at 21:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade crater to version 6.0.7 or newer where the note‑processing logic has been hardened.
  • Enforce strict input validation on the notes field, permitting only plain‑text characters and stripping or encoding any HTML markup.
  • Apply output‑side escaping when rendering note content within invoice templates to neutralise any residual scripts that slip through.

Generated by OpenCVE AI on July 6, 2026 at 21:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 06 Jul 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 06 Jul 2026 03:00:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in crater-invoice-inc crater up to 6.0.6. This affects the function getFormattedString of the file app/Http/Requests/InvoicesRequest.php of the component Invoice Note Handler. Executing a manipulation of the argument notes can lead to cross site scripting. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
Title crater-invoice-inc crater Invoice Note InvoicesRequest.php getFormattedString cross site scripting
First Time appeared Crater-invoice-inc
Crater-invoice-inc crater
Weaknesses CWE-79
CWE-94
CPEs cpe:2.3:a:crater-invoice-inc:crater:*:*:*:*:*:*:*:*
Vendors & Products Crater-invoice-inc
Crater-invoice-inc crater
References
Metrics cvssV2_0

{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 3.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 3.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}


Subscriptions

Crater-invoice-inc Crater
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-07-06T13:28:29.426Z

Reserved: 2026-07-05T18:16:17.170Z

Link: CVE-2026-14791

cve-icon Vulnrichment

Updated: 2026-07-06T13:28:24.918Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-06T22:41:35Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

  • CWE-94

    Improper Control of Generation of Code ('Code Injection')