{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33742", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-23T17:34:57.561Z", "datePublished": "2026-03-26T20:50:21.984Z", "dateUpdated": "2026-03-26T20:50:21.984Z"}, "containers": {"cna": {"title": "Invoice Ninja has Stored XSS via Markdown HTML Injection in Product Notes", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/invoiceninja/invoiceninja/security/advisories/GHSA-xph7-9749-56mh", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/invoiceninja/invoiceninja/security/advisories/GHSA-xph7-9749-56mh"}, {"name": "https://github.com/invoiceninja/invoiceninja/releases/tag/v5.13.4", "tags": ["x_refsource_MISC"], "url": "https://github.com/invoiceninja/invoiceninja/releases/tag/v5.13.4"}], "affected": [{"vendor": "invoiceninja", "product": "invoiceninja", "versions": [{"version": "< 5.13.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T20:50:21.984Z"}, "descriptions": [{"lang": "en", "value": "Invoice Ninja is a source-available invoice, quote, project and time-tracking app built with Laravel. Product notes fields in Invoice Ninja v5.13.0 allow raw HTML via Markdown rendering, enabling stored XSS. The Markdown parser output was not sanitized with `purify::clean()` before being included in invoice templates. This is fixed in v5.13.4 by the vendor by adding `purify::clean()` to sanitize Markdown output."}], "source": {"advisory": "GHSA-xph7-9749-56mh", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Invoice Ninja is a source-available invoice, quote, project and time-tracking app built with Laravel. Product notes fields in Invoice Ninja v5.13.0 allow raw HTML via Markdown rendering, enabling stored XSS. The Markdown parser output was not sanitized with `purify::clean()` before being included in invoice templates. This is fixed in v5.13.4 by the vendor by adding `purify::clean()` to sanitize Markdown output."}], "id": "CVE-2026-33742", "lastModified": "2026-03-26T21:17:08.273", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-26T21:17:08.273", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/invoiceninja/invoiceninja/releases/tag/v5.13.4"}, {"source": "security-advisories@github.com", "url": "https://github.com/invoiceninja/invoiceninja/security/advisories/GHSA-xph7-9749-56mh"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,5.13.4)"}}], "enrichment": {"confidence": 98.0, "confidence_source": "matching", "scores": [{"score": 98.0, "source": "matching"}]}, "original": {"product": "invoiceninja", "source": "cna", "vendor": "invoiceninja"}, "product": "invoice_ninja", "vendor": "invoiceninja"}], "analysis": {"en": {"generated_at": "2026-03-26T22:24:08.344109+00:00", "value": {"mitigation_remediation": ["Upgrade Invoice Ninja to version 5.13.4 or later.", "Avoid entering raw HTML or executable scripts in product notes when upgrading is not possible.", "Verify that Markdown output is sanitized if custom rendering is used."], "summary": {"action": "Immediate Patch", "impact": "Stored XSS enabling session hijack and data theft"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Invoice Ninja version 5.13.0 up through 5.13.3. Version 5.13.4 onward includes a sanitization fix with purify::clean().", "description_and_impact": "Invoice Ninja product notes accept raw HTML through Markdown rendering without sanitization. This allows an attacker to embed malicious scripts that are persisted and executed when the invoice is viewed, leading to cross\u2011site scripting execution.", "risk_and_exploitability": "The CVSS score of 5.4 indicates medium severity. EPSS data is unavailable, and the vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw by inserting malicious markup into product notes, which is stored and displayed to any authenticated user who views the affected invoice. The attack vector is inferred to be via authenticated creation or editing of product notes."}}}}, "created": "2026-03-27T08:31:55.867993+00:00", "updated": "2026-03-27T09:23:23.563205+00:00", "vendors": ["invoiceninja", "invoiceninja$PRODUCT$invoice_ninja"]}