GHSA-98wm-cxpw-847p
Suggest an improvement- Source
- https://github.com/advisories/GHSA-98wm-cxpw-847p
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-98wm-cxpw-847p/GHSA-98wm-cxpw-847p.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-98wm-cxpw-847p
- Aliases
-
- CVE-2026-33628
- Published
- 2026-03-24T20:40:16Z
- Modified
- 2026-03-27T21:50:43.613847Z
- Severity
-
- 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- Invoice Ninja Denylist Bypass may Lead to Stored XSS via Invoice Line Items
- Details
-
Vulnerability Details
Invoice line item descriptions in Invoice Ninja v5.13.0 bypass the XSS denylist filter, allowing stored XSS payloads to execute when invoices are rendered in the PDF preview or client portal.
The line item description field was not passed through
purify::clean()before rendering.Steps to Reproduce
- Login as any authenticated user
- Create or edit an invoice
- In a line item description, enter:
<img src=x onerror=alert(document.cookie)> - Save the invoice and preview it
- The XSS payload executes in the browser
Impact
- Attacker: Any authenticated user who can create invoices
- Victim: Any user viewing the invoice (including clients via the portal)
- Specific damage: Session hijacking, account takeover, data exfiltration
Proposed Fix
Fixed in v5.13.4 by the vendor by adding
purify::clean()to sanitize line item descriptions. - Database specific
{ "github_reviewed": true, "cwe_ids": [ "CWE-116", "CWE-184", "CWE-79" ], "nvd_published_at": "2026-03-26T21:17:07Z", "github_reviewed_at": "2026-03-24T20:40:16Z", "severity": "MODERATE" }- References
-
- https://github.com/invoiceninja/invoiceninja/security/advisories/GHSA-98wm-cxpw-847p
- https://nvd.nist.gov/vuln/detail/CVE-2026-33628
- https://github.com/invoiceninja/invoiceninja/commit/b81a3fc302573fc4a53d61e8537dd19154ce1091
- https://github.com/invoiceninja/invoiceninja
- https://github.com/invoiceninja/invoiceninja/releases/tag/v5.13.4
Affected packages
Packagist / invoiceninja/invoiceninja
Package
- Name
- invoiceninja/invoiceninja
- Purl
- pkg:composer/invoiceninja/invoiceninja