CVE-2026-46489

Source
https://cve.org/CVERecord?id=CVE-2026-46489
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-46489.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-46489
Aliases
  • GHSA-mqwm-r4g8-wf4w
Published
2026-06-11T18:55:44.418Z
Modified
2026-07-08T08:05:17.561902254Z
Severity
  • 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N CVSS Calculator
Summary
SolidInvoice: Unrestricted file upload with no MIME validation allows stored XSS via malicious SVG logo
Details

SolidInvoice is an open-source invoicing platform. Prior to version 2.3.17, the company logo upload feature accepts any file type without validation. An authenticated administrator can upload an SVG file containing embedded JavaScript. This script is base64-encoded and injected unescaped into every page of the application, causing stored cross-site scripting (XSS) that executes in every authenticated user's browser. This issue has been patched in version 2.3.17.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46489.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-434",
        "CWE-79"
    ]
}
References

Affected packages

Git / github.com/solidinvoice/solidinvoice

Affected ranges

Type
GIT
Repo
https://github.com/solidinvoice/solidinvoice
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.3.17"
        }
    ]
}

Affected versions

0.*
0.1.0
0.1.0-alpha1
0.1.0-beta1
0.2.0
0.3.0
0.4.0
0.4.1
0.4.2
0.5.0
0.6.0
0.7.0
0.8.0
1.*
1.0.0
1.0.3
1.1.0
2.*
2.0.0
2.0.0-alpha1
2.0.0-alpha2
2.0.0-alpha3
2.0.0-beta1
2.0.0-beta2
2.0.0-rc
2.1.0
2.2.0
2.2.1
2.2.2
2.2.3
2.2.4
2.2.5
2.3.0
2.3.10
2.3.11
2.3.12
2.3.13
2.3.14
2.3.15
2.3.16
2.3.3
2.3.4
2.3.5
2.3.6
2.3.7
2.3.8
2.3.9

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-46489.json"