Description
Invoice Ninja is a source-available invoice, quote, project and time-tracking app built with Laravel. Invoice line item descriptions in Invoice Ninja v5.13.0 bypass the XSS denylist filter, allowing stored XSS payloads to execute when invoices are rendered in the PDF preview or client portal. The line item description field was not passed through `purify::clean()` before rendering. This is fixed in v5.13.4 by the vendor by adding `purify::clean()` to sanitize line item descriptions.
Published: 2026-03-26
Score: 5.4 Medium
EPSS: n/a
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch Now
AI Analysis

Impact

Invoice Ninja v5.13.0 introduced a flaw where line item descriptions were not passed through the purify::clean() function before rendering, allowing malicious JavaScript to be injected into invoices. When a victim views the invoice PDF preview or accesses the client portal, the embedded script executes in their browser, potentially stealing session cookies or performing other unauthorized actions. This is a classic stored XSS defect, identified by CWE‑79 and related to improper input validation (CWE‑116, CWE‑184).

Affected Systems

The vulnerability affects the Invoice Ninja application, specifically versions 5.13.0 through 5.13.3. It is tied to the invoice line item description field and is fixed in version 5.13.4, where purify::clean() sanitisation is applied. Users of any earlier release of the open‑source Invoice Ninja project are therefore impacted.

Risk and Exploitability

The CVSS base score rates the flaw as medium (5.4). EPSS data is unavailable, and the vulnerability is not listed in CISA’s KEV catalogue. Exploitation requires an attacker to submit or modify an invoice line item, which is typically performed by authenticated staff or administrators. Once the malicious payload is stored, any user who opens the invoice in the PDF preview or client portal will be exposed to the injected JavaScript. The risk is therefore moderate, with the main threat being the potential compromise of client accounts or unintended script execution in the application.

Generated by OpenCVE AI on March 26, 2026 at 22:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch by upgrading to Invoice Ninja v5.13.4 or later, which restores sanitisation of line item descriptions.
  • If an upgrade is not immediately feasible, limit invoice creation and PDF preview access to trusted users only and consider disabling those features until the patch is applied.
  • Verify that the running instance no longer serves unsanitised line item content by attempting to add a test invoice with a simple script tag.
  • Monitor the application logs and client portal access for any signs of unintended script execution or session hijacking events.

Generated by OpenCVE AI on March 26, 2026 at 22:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-98wm-cxpw-847p Invoice Ninja Denylist Bypass may Lead to Stored XSS via Invoice Line Items
History

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Invoiceninja
Invoiceninja invoice Ninja
Vendors & Products Invoiceninja
Invoiceninja invoice Ninja

Thu, 26 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Description Invoice Ninja is a source-available invoice, quote, project and time-tracking app built with Laravel. Invoice line item descriptions in Invoice Ninja v5.13.0 bypass the XSS denylist filter, allowing stored XSS payloads to execute when invoices are rendered in the PDF preview or client portal. The line item description field was not passed through `purify::clean()` before rendering. This is fixed in v5.13.4 by the vendor by adding `purify::clean()` to sanitize line item descriptions.
Title Invoice Ninja Denylist Bypass may Lead to Stored XSS via Invoice Line Items
Weaknesses CWE-116
CWE-184
CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Invoiceninja Invoice Ninja
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-26T20:48:45.739Z

Reserved: 2026-03-23T14:24:11.617Z

Link: CVE-2026-33628

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-03-26T21:17:07.113

Modified: 2026-03-26T21:17:07.113

Link: CVE-2026-33628

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:23:24Z

Weaknesses