{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33628", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-23T14:24:11.617Z", "datePublished": "2026-03-26T20:48:45.739Z", "dateUpdated": "2026-03-27T13:55:36.614Z"}, "containers": {"cna": {"title": "Invoice Ninja Denylist Bypass may Lead to Stored XSS via Invoice Line Items", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-116", "lang": "en", "description": "CWE-116: Improper Encoding or Escaping of Output", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-184", "lang": "en", "description": "CWE-184: Incomplete List of Disallowed Inputs", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/invoiceninja/invoiceninja/security/advisories/GHSA-98wm-cxpw-847p", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/invoiceninja/invoiceninja/security/advisories/GHSA-98wm-cxpw-847p"}, {"name": "https://github.com/invoiceninja/invoiceninja/commit/b81a3fc302573fc4a53d61e8537dd19154ce1091", "tags": ["x_refsource_MISC"], "url": "https://github.com/invoiceninja/invoiceninja/commit/b81a3fc302573fc4a53d61e8537dd19154ce1091"}, {"name": "https://github.com/invoiceninja/invoiceninja/releases/tag/v5.13.4", "tags": ["x_refsource_MISC"], "url": "https://github.com/invoiceninja/invoiceninja/releases/tag/v5.13.4"}], "affected": [{"vendor": "invoiceninja", "product": "invoiceninja", "versions": [{"version": "< 5.13.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T20:48:45.739Z"}, "descriptions": [{"lang": "en", "value": "Invoice Ninja is a source-available invoice, quote, project and time-tracking app built with Laravel. Invoice line item descriptions in Invoice Ninja v5.13.0 bypass the XSS denylist filter, allowing stored XSS payloads to execute when invoices are rendered in the PDF preview or client portal. The line item description field was not passed through `purify::clean()` before rendering. This is fixed in v5.13.4 by the vendor by adding `purify::clean()` to sanitize line item descriptions."}], "source": {"advisory": "GHSA-98wm-cxpw-847p", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/invoiceninja/invoiceninja/security/advisories/GHSA-98wm-cxpw-847p", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-27T13:34:13.647878Z", "id": "CVE-2026-33628", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T13:55:36.614Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33628", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-27T13:34:13.647878Z"}}}], "references": [{"url": "https://github.com/invoiceninja/invoiceninja/security/advisories/GHSA-98wm-cxpw-847p", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T13:34:04.471Z"}}], "cna": {"title": "Invoice Ninja Denylist Bypass may Lead to Stored XSS via Invoice Line Items", "source": {"advisory": "GHSA-98wm-cxpw-847p", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "invoiceninja", "product": "invoiceninja", "versions": [{"status": "affected", "version": "< 5.13.4"}]}], "references": [{"url": "https://github.com/invoiceninja/invoiceninja/security/advisories/GHSA-98wm-cxpw-847p", "name": "https://github.com/invoiceninja/invoiceninja/security/advisories/GHSA-98wm-cxpw-847p", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/invoiceninja/invoiceninja/commit/b81a3fc302573fc4a53d61e8537dd19154ce1091", "name": "https://github.com/invoiceninja/invoiceninja/commit/b81a3fc302573fc4a53d61e8537dd19154ce1091", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/invoiceninja/invoiceninja/releases/tag/v5.13.4", "name": "https://github.com/invoiceninja/invoiceninja/releases/tag/v5.13.4", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Invoice Ninja is a source-available invoice, quote, project and time-tracking app built with Laravel. Invoice line item descriptions in Invoice Ninja v5.13.0 bypass the XSS denylist filter, allowing stored XSS payloads to execute when invoices are rendered in the PDF preview or client portal. The line item description field was not passed through `purify::clean()` before rendering. This is fixed in v5.13.4 by the vendor by adding `purify::clean()` to sanitize line item descriptions."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-116", "description": "CWE-116: Improper Encoding or Escaping of Output"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-184", "description": "CWE-184: Incomplete List of Disallowed Inputs"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T20:48:45.739Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33628", "state": "PUBLISHED", "dateUpdated": "2026-03-27T13:55:36.614Z", "dateReserved": "2026-03-23T14:24:11.617Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-26T20:48:45.739Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:invoiceninja:invoice_ninja:*:*:*:*:*:*:*:*", "matchCriteriaId": "FC4B6AFE-F1E5-491A-8E54-A20207B38036", "versionEndExcluding": "5.13.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Invoice Ninja is a source-available invoice, quote, project and time-tracking app built with Laravel. Invoice line item descriptions in Invoice Ninja v5.13.0 bypass the XSS denylist filter, allowing stored XSS payloads to execute when invoices are rendered in the PDF preview or client portal. The line item description field was not passed through `purify::clean()` before rendering. This is fixed in v5.13.4 by the vendor by adding `purify::clean()` to sanitize line item descriptions."}, {"lang": "es", "value": "Invoice Ninja es una aplicaci\u00f3n de facturaci\u00f3n, presupuestos, proyectos y seguimiento del tiempo de c\u00f3digo fuente disponible, construida con Laravel. Las descripciones de las l\u00edneas de art\u00edculos de las facturas en Invoice Ninja v5.13.0 eluden el filtro de denylist de XSS, permitiendo que las cargas \u00fatiles de XSS almacenadas se ejecuten cuando las facturas se renderizan en la vista previa de PDF o en el portal del cliente. El campo de descripci\u00f3n de la l\u00ednea de art\u00edculo no se pas\u00f3 por 'purify::clean()' antes de la renderizaci\u00f3n. Esto se corrigi\u00f3 en la v5.13.4 por el proveedor al a\u00f1adir 'purify::clean()' para sanear las descripciones de las l\u00edneas de art\u00edculos."}], "id": "CVE-2026-33628", "lastModified": "2026-03-30T17:24:09.000", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-26T21:17:07.113", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/invoiceninja/invoiceninja/commit/b81a3fc302573fc4a53d61e8537dd19154ce1091"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/invoiceninja/invoiceninja/releases/tag/v5.13.4"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/invoiceninja/invoiceninja/security/advisories/GHSA-98wm-cxpw-847p"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Vendor Advisory"], "url": "https://github.com/invoiceninja/invoiceninja/security/advisories/GHSA-98wm-cxpw-847p"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-116"}, {"lang": "en", "value": "CWE-184"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,5.13.4)"}}], "enrichment": {"confidence": 98.0, "confidence_source": "matching", "scores": [{"score": 98.0, "source": "matching"}]}, "original": {"product": "invoiceninja", "source": "cna", "vendor": "invoiceninja"}, "product": "invoice_ninja", "vendor": "invoiceninja"}], "analysis": {"en": {"generated_at": "2026-03-30T18:29:22.313466+00:00", "value": {"mitigation_remediation": ["Apply the vendor\u2019s patch by upgrading to Invoice Ninja version 5.13.4 or later"], "summary": {"action": "Immediate Patch", "impact": "Stored XSS via denial list bypass"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Invoice Ninja application, specifically versions from 5.13.0 up through 5.13.3. The designated vendor product is Invoice Ninja (invoiceninja:invoiceninja). The fix was introduced in version 5.13.4.", "description_and_impact": "A denial\u2011list bypass in Invoice Ninja\u2019s line item description field allows attackers to insert JavaScript payloads that are stored and later rendered without sanitization. When an invoice is viewed in the PDF preview or client portal, the malicious code executes in the victim\u2019s browser, potentially exposing session cookies, accessing user data, or performing actions on behalf of the user. The issue is based on the weaknesses of CWE\u201179, CWE\u2011116 and CWE\u2011184.", "risk_and_exploitability": "The CVSS score of 5.4 indicates a moderate risk level. With an EPSS score of less than 1%, the likelihood of widespread exploitation is low, and the vulnerability is not listed in the CISA KEV catalog. Attackers would need to create or edit an invoice line item on a vulnerable installation and then persuade or trick a user to view the rendered invoice, usually via the PDF preview or client portal interface. The goal is to deliver stored XSS content that runs in the victim\u2019s context."}}}}, "created": "2026-03-27T08:31:56.745078+00:00", "updated": "2026-03-30T20:57:26.229869+00:00", "vendors": ["invoiceninja", "invoiceninja$PRODUCT$invoice_ninja"]}