Description
Invoice Ninja is a source-available invoice, quote, project and time-tracking app built with Laravel. Product notes fields in Invoice Ninja v5.13.0 allow raw HTML via Markdown rendering, enabling stored XSS. The Markdown parser output was not sanitized with `purify::clean()` before being included in invoice templates. This is fixed in v5.13.4 by the vendor by adding `purify::clean()` to sanitize Markdown output.
Published: 2026-03-26
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored XSS in product notes
Action: Patch
AI Analysis

Impact

Invoice Ninja’s product notes field accepts raw HTML through Markdown rendering. The output is embedded into invoice templates without sanitization via purify::clean(), enabling attackers to store malicious scripts that run in any browser that renders the invoice. This stored Cross‑Site Scripting can lead to session hijacking, defacement, or malicious data exfiltration relative to any user who views the affected invoice.

Affected Systems

The issue exists in Invoice Ninja v5.13.0 through v5.13.3 for the invoiceninja:invoiceninja product. The vendor explicitly states that the bug is fixed in v5.13.4, so deployments running earlier versions are vulnerable. The affected products are the source‑available invoice, quote, project and time‑tracking application built on Laravel.

Risk and Exploitability

The CVSS base score of 5.4 indicates moderate impact; the EPSS score of less than 1 % suggests a low likelihood of exploitation in the wild. The vulnerability is not listed in CISA’s KEV, implying no known active exploitation. Likely attack vectors involve users with write access to product notes who can introduce malicious HTML, or attackers who can access the database to inject the payload. Because the scripts execute in the context of the viewer, the threat is confined to users who open the compromised invoice or template.

Generated by OpenCVE AI on March 30, 2026 at 18:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Invoice Ninja 5.13.4 or later to apply HTML sanitization.

Generated by OpenCVE AI on March 30, 2026 at 18:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 30 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:invoiceninja:invoice_ninja:*:*:*:*:*:*:*:*

Fri, 27 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Invoiceninja
Invoiceninja invoice Ninja
Vendors & Products Invoiceninja
Invoiceninja invoice Ninja

Thu, 26 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Description Invoice Ninja is a source-available invoice, quote, project and time-tracking app built with Laravel. Product notes fields in Invoice Ninja v5.13.0 allow raw HTML via Markdown rendering, enabling stored XSS. The Markdown parser output was not sanitized with `purify::clean()` before being included in invoice templates. This is fixed in v5.13.4 by the vendor by adding `purify::clean()` to sanitize Markdown output.
Title Invoice Ninja has Stored XSS via Markdown HTML Injection in Product Notes
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Invoiceninja Invoice Ninja
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-27T13:55:25.963Z

Reserved: 2026-03-23T17:34:57.561Z

Link: CVE-2026-33742

cve-icon Vulnrichment

Updated: 2026-03-27T13:33:28.490Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-26T21:17:08.273

Modified: 2026-03-30T17:02:40.170

Link: CVE-2026-33742

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T20:57:25Z

Weaknesses