Description
Invoice Ninja is a source-available invoice, quote, project and time-tracking app built with Laravel. Invoice line item descriptions in Invoice Ninja v5.13.0 bypass the XSS denylist filter, allowing stored XSS payloads to execute when invoices are rendered in the PDF preview or client portal. The line item description field was not passed through `purify::clean()` before rendering. This is fixed in v5.13.4 by the vendor by adding `purify::clean()` to sanitize line item descriptions.
Published: 2026-03-26
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored XSS via denial list bypass
Action: Immediate Patch
AI Analysis

Impact

A denial‑list bypass in Invoice Ninja’s line item description field allows attackers to insert JavaScript payloads that are stored and later rendered without sanitization. When an invoice is viewed in the PDF preview or client portal, the malicious code executes in the victim’s browser, potentially exposing session cookies, accessing user data, or performing actions on behalf of the user. The issue is based on the weaknesses of CWE‑79, CWE‑116 and CWE‑184.

Affected Systems

The vulnerability affects the Invoice Ninja application, specifically versions from 5.13.0 up through 5.13.3. The designated vendor product is Invoice Ninja (invoiceninja:invoiceninja). The fix was introduced in version 5.13.4.

Risk and Exploitability

The CVSS score of 5.4 indicates a moderate risk level. With an EPSS score of less than 1%, the likelihood of widespread exploitation is low, and the vulnerability is not listed in the CISA KEV catalog. Attackers would need to create or edit an invoice line item on a vulnerable installation and then persuade or trick a user to view the rendered invoice, usually via the PDF preview or client portal interface. The goal is to deliver stored XSS content that runs in the victim’s context.

Generated by OpenCVE AI on March 30, 2026 at 18:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor’s patch by upgrading to Invoice Ninja version 5.13.4 or later

Generated by OpenCVE AI on March 30, 2026 at 18:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-98wm-cxpw-847p Invoice Ninja Denylist Bypass may Lead to Stored XSS via Invoice Line Items
History

Mon, 30 Mar 2026 17:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:invoiceninja:invoice_ninja:*:*:*:*:*:*:*:*

Fri, 27 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Invoiceninja
Invoiceninja invoice Ninja
Vendors & Products Invoiceninja
Invoiceninja invoice Ninja

Thu, 26 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Description Invoice Ninja is a source-available invoice, quote, project and time-tracking app built with Laravel. Invoice line item descriptions in Invoice Ninja v5.13.0 bypass the XSS denylist filter, allowing stored XSS payloads to execute when invoices are rendered in the PDF preview or client portal. The line item description field was not passed through `purify::clean()` before rendering. This is fixed in v5.13.4 by the vendor by adding `purify::clean()` to sanitize line item descriptions.
Title Invoice Ninja Denylist Bypass may Lead to Stored XSS via Invoice Line Items
Weaknesses CWE-116
CWE-184
CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Invoiceninja Invoice Ninja
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-27T13:55:36.614Z

Reserved: 2026-03-23T14:24:11.617Z

Link: CVE-2026-33628

cve-icon Vulnrichment

Updated: 2026-03-27T13:34:04.471Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-26T21:17:07.113

Modified: 2026-03-30T17:24:09.000

Link: CVE-2026-33628

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T20:57:26Z

Weaknesses