CVE-2026-14791

Summary

A weakness has been identified in crater-invoice-inc crater up to 6.0.6. This affects the function getFormattedString of the file app/Http/Requests/InvoicesRequest.php of the component Invoice Note Handler. Executing a manipulation of the argument notes can lead to cross site scripting. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.

Affected Software

VendorProductVersion RangeStatus
crater-invoice-inccrater6.0.0affected
crater-invoice-inccrater6.0.1affected
crater-invoice-inccrater6.0.2affected
crater-invoice-inccrater6.0.3affected
crater-invoice-inccrater6.0.4affected
crater-invoice-inccrater6.0.5affected
crater-invoice-inccrater6.0.6affected

Weaknesses

  • CWE-79: Cross Site Scripting
  • CWE-94: Code Injection

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

References