Threat Advisory

Invoice Ninja Vulnerability Allows Stored XSS Execution

Threat: Vulnerability
Threat Actor Name: -
Threat Actor Type: -
Targeted Region: Global
Alias: -
Threat Actor Region: -
Targeted Sector: Technology & IT
Criticality: Medium
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

CVE-2026-33628 with a CVSS score of 5.4 is a vulnerability in Invoice Ninja, specifically in versions prior to v5.13.4, that allows an attacker to execute stored XSS payloads via invoice line items. The vulnerability arises from the failure to sanitize line item descriptions with purify::clean() before rendering, enabling an attacker to inject malicious code. An attacker can exploit this vulnerability by creating an invoice with a malicious line item description, which can be viewed by any user, including clients via the portal. This attack requires an authenticated user who can create invoices and no user interaction. The attacker gains the capability to hijack sessions, take over accounts, and exfiltrate data, resulting in significant business impact and consequences if exploited. To successfully exploit this vulnerability, the attacker must have a basic understanding of HTML and web application vulnerabilities.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

CVE-2026-33628 with a CVSS score of 5.4 is a vulnerability in Invoice Ninja, specifically in versions prior to v5.13.4, that allows an attacker to execute stored XSS payloads via invoice line items. The vulnerability arises from the failure to sanitize line item descriptions with purify::clean() before rendering, enabling an attacker to inject malicious code. An attacker can exploit this vulnerability by creating an invoice with a malicious line item description, which can be viewed by any user, including clients via the portal. This attack requires an authenticated user who can create invoices and no user interaction. The attacker gains the capability to hijack sessions, take over accounts, and exfiltrate data, resulting in significant business impact and consequences if exploited. To successfully exploit this vulnerability, the attacker must have a basic understanding of HTML and web application vulnerabilities.[emaillocker id="1283"]

RECOMMENDATION:

We recommend you to update Invoice Ninja to version v5.13.4.

REFERENCES:

The following reports contain further technical details:
https://github.com/advisories/GHSA-98wm-cxpw-847p

[/emaillocker]
crossmenu