Description
SolidInvoice is an open-source invoicing platform. Prior to version 2.3.17, the company logo upload feature accepts any file type without validation. An authenticated administrator can upload an SVG file containing embedded JavaScript. This script is base64-encoded and injected unescaped into every page of the application, causing stored cross-site scripting (XSS) that executes in every authenticated user's browser. This issue has been patched in version 2.3.17.
Published: 2026-06-11
Score: 8.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

SolidInvoice's logo upload accepts files without MIME validation, allowing an administrator to upload an SVG containing base64‑encoded JavaScript. Because the content is injected unescaped into every rendered page for authenticated users, the flaw results in stored cross‑site scripting that executes across the entire user base. An attacker can steal session cookies, hijack accounts, and launch further attacks against other users.

Affected Systems

All versions of SolidInvoice prior to 2.3.17, notably SolidInvoice 2.3.x and earlier releases. The vulnerability is fixed in 2.3.17 and later.

Risk and Exploitability

The CVSS score of 8.1 indicates high impact, and the flaw is available to any authenticated administrator, which is a common role in invoicing environments. Because no remote exploitation path is required, the attack surface is limited to compromised or privileged accounts. While the EPSS score is not available, the absence of a KEV listing does not diminish the high risk profile, and administrators should assume immediate patching is required.

Generated by OpenCVE AI on June 11, 2026 at 21:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest patch 2.3.17 or newer, which implements MIME type validation for logo uploads.
  • Limit logo upload capability to trusted administrators and enforce IP or role‑based restrictions.
  • Validate or sanitize SVG uploads to reject any embedded script before accepting the file.

Generated by OpenCVE AI on June 11, 2026 at 21:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 11 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
First Time appeared Solidinvoice
Solidinvoice solidinvoice
Vendors & Products Solidinvoice
Solidinvoice solidinvoice

Thu, 11 Jun 2026 20:00:00 +0000

Type Values Removed Values Added
Description SolidInvoice is an open-source invoicing platform. Prior to version 2.3.17, the company logo upload feature accepts any file type without validation. An authenticated administrator can upload an SVG file containing embedded JavaScript. This script is base64-encoded and injected unescaped into every page of the application, causing stored cross-site scripting (XSS) that executes in every authenticated user's browser. This issue has been patched in version 2.3.17.
Title SolidInvoice: Unrestricted file upload with no MIME validation allows stored XSS via malicious SVG logo
Weaknesses CWE-434
CWE-79
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N'}

Subscriptions

Solidinvoice Solidinvoice
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-11T18:55:44.418Z

Reserved: 2026-05-14T18:06:06.811Z

Link: CVE-2026-46489

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-06-11T20:16:23.240

Modified: 2026-06-11T20:50:49.480

Link: CVE-2026-46489

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T22:00:08Z

Weaknesses
  • CWE-434

    Unrestricted Upload of File with Dangerous Type

  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')