{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33742", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-23T17:34:57.561Z", "datePublished": "2026-03-26T20:50:21.984Z", "dateUpdated": "2026-03-27T13:55:25.963Z"}, "containers": {"cna": {"title": "Invoice Ninja has Stored XSS via Markdown HTML Injection in Product Notes", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/invoiceninja/invoiceninja/security/advisories/GHSA-xph7-9749-56mh", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/invoiceninja/invoiceninja/security/advisories/GHSA-xph7-9749-56mh"}, {"name": "https://github.com/invoiceninja/invoiceninja/releases/tag/v5.13.4", "tags": ["x_refsource_MISC"], "url": "https://github.com/invoiceninja/invoiceninja/releases/tag/v5.13.4"}], "affected": [{"vendor": "invoiceninja", "product": "invoiceninja", "versions": [{"version": "< 5.13.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T20:50:21.984Z"}, "descriptions": [{"lang": "en", "value": "Invoice Ninja is a source-available invoice, quote, project and time-tracking app built with Laravel. Product notes fields in Invoice Ninja v5.13.0 allow raw HTML via Markdown rendering, enabling stored XSS. The Markdown parser output was not sanitized with `purify::clean()` before being included in invoice templates. This is fixed in v5.13.4 by the vendor by adding `purify::clean()` to sanitize Markdown output."}], "source": {"advisory": "GHSA-xph7-9749-56mh", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/invoiceninja/invoiceninja/security/advisories/GHSA-xph7-9749-56mh", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-27T13:33:33.494289Z", "id": "CVE-2026-33742", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T13:55:25.963Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33742", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-27T13:33:33.494289Z"}}}], "references": [{"url": "https://github.com/invoiceninja/invoiceninja/security/advisories/GHSA-xph7-9749-56mh", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T13:33:28.490Z"}}], "cna": {"title": "Invoice Ninja has Stored XSS via Markdown HTML Injection in Product Notes", "source": {"advisory": "GHSA-xph7-9749-56mh", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "invoiceninja", "product": "invoiceninja", "versions": [{"status": "affected", "version": "< 5.13.4"}]}], "references": [{"url": "https://github.com/invoiceninja/invoiceninja/security/advisories/GHSA-xph7-9749-56mh", "name": "https://github.com/invoiceninja/invoiceninja/security/advisories/GHSA-xph7-9749-56mh", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/invoiceninja/invoiceninja/releases/tag/v5.13.4", "name": "https://github.com/invoiceninja/invoiceninja/releases/tag/v5.13.4", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Invoice Ninja is a source-available invoice, quote, project and time-tracking app built with Laravel. Product notes fields in Invoice Ninja v5.13.0 allow raw HTML via Markdown rendering, enabling stored XSS. The Markdown parser output was not sanitized with `purify::clean()` before being included in invoice templates. This is fixed in v5.13.4 by the vendor by adding `purify::clean()` to sanitize Markdown output."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T20:50:21.984Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33742", "state": "PUBLISHED", "dateUpdated": "2026-03-27T13:55:25.963Z", "dateReserved": "2026-03-23T17:34:57.561Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-26T20:50:21.984Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:invoiceninja:invoice_ninja:*:*:*:*:*:*:*:*", "matchCriteriaId": "FC4B6AFE-F1E5-491A-8E54-A20207B38036", "versionEndExcluding": "5.13.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Invoice Ninja is a source-available invoice, quote, project and time-tracking app built with Laravel. Product notes fields in Invoice Ninja v5.13.0 allow raw HTML via Markdown rendering, enabling stored XSS. The Markdown parser output was not sanitized with `purify::clean()` before being included in invoice templates. This is fixed in v5.13.4 by the vendor by adding `purify::clean()` to sanitize Markdown output."}, {"lang": "es", "value": "Invoice Ninja es una aplicaci\u00f3n de facturaci\u00f3n, presupuestos, proyectos y seguimiento del tiempo de c\u00f3digo fuente disponible, construida con Laravel. Los campos de notas de producto en Invoice Ninja v5.13.0 permiten HTML en bruto a trav\u00e9s de la renderizaci\u00f3n de Markdown, lo que permite XSS almacenado. La salida del analizador de Markdown no fue saneada con 'purify::clean()' antes de ser incluida en las plantillas de factura. Esto se corrigi\u00f3 en la v5.13.4 por el proveedor al a\u00f1adir 'purify::clean()' para sanear la salida de Markdown."}], "id": "CVE-2026-33742", "lastModified": "2026-03-30T17:02:40.170", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-26T21:17:08.273", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/invoiceninja/invoiceninja/releases/tag/v5.13.4"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/invoiceninja/invoiceninja/security/advisories/GHSA-xph7-9749-56mh"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/invoiceninja/invoiceninja/security/advisories/GHSA-xph7-9749-56mh"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,5.13.4)"}}], "enrichment": {"confidence": 98.0, "confidence_source": "matching", "scores": [{"score": 98.0, "source": "matching"}]}, "original": {"product": "invoiceninja", "source": "cna", "vendor": "invoiceninja"}, "product": "invoice_ninja", "vendor": "invoiceninja"}], "analysis": {"en": {"generated_at": "2026-03-30T18:29:07.091131+00:00", "value": {"mitigation_remediation": ["Upgrade to Invoice Ninja 5.13.4 or later to apply HTML sanitization."], "summary": {"action": "Patch", "impact": "Stored XSS in product notes"}, "threat_synthesis": {"affected_systems": "The issue exists in Invoice Ninja v5.13.0 through v5.13.3 for the invoiceninja:invoiceninja product. The vendor explicitly states that the bug is fixed in v5.13.4, so deployments running earlier versions are vulnerable. The affected products are the source\u2011available invoice, quote, project and time\u2011tracking application built on Laravel.", "description_and_impact": "Invoice Ninja\u2019s product notes field accepts raw HTML through Markdown rendering. The output is embedded into invoice templates without sanitization via purify::clean(), enabling attackers to store malicious scripts that run in any browser that renders the invoice. This stored Cross\u2011Site Scripting can lead to session hijacking, defacement, or malicious data exfiltration relative to any user who views the affected invoice.", "risk_and_exploitability": "The CVSS base score of 5.4 indicates moderate impact; the EPSS score of less than 1\u202f% suggests a low likelihood of exploitation in the wild. The vulnerability is not listed in CISA\u2019s KEV, implying no known active exploitation. Likely attack vectors involve users with write access to product notes who can introduce malicious HTML, or attackers who can access the database to inject the payload. Because the scripts execute in the context of the viewer, the threat is confined to users who open the compromised invoice or template."}}}}, "created": "2026-03-27T08:31:55.867993+00:00", "updated": "2026-03-30T20:57:25.297778+00:00", "vendors": ["invoiceninja", "invoiceninja$PRODUCT$invoice_ninja"]}