CVE-2026-33742

Summary

Invoice Ninja is a source-available invoice, quote, project and time-tracking app built with Laravel. Product notes fields in Invoice Ninja v5.13.0 allow raw HTML via Markdown rendering, enabling stored XSS. The Markdown parser output was not sanitized with purify::clean() before being included in invoice templates. This is fixed in v5.13.4 by the vendor by adding purify::clean() to sanitize Markdown output.

Affected Software

VendorProductVersion RangeStatus
invoiceninjainvoiceninja< 5.13.4affected

Weaknesses

  • CWE-79: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

Additional References

References