CVE-2026-33742 PUBLISHED

Invoice Ninja has Stored XSS via Markdown HTML Injection in Product Notes

Assigner: GitHub_M
Reserved: 23.03.2026 Published: 26.03.2026 Updated: 27.03.2026

Invoice Ninja is a source-available invoice, quote, project and time-tracking app built with Laravel. Product notes fields in Invoice Ninja v5.13.0 allow raw HTML via Markdown rendering, enabling stored XSS. The Markdown parser output was not sanitized with purify::clean() before being included in invoice templates. This is fixed in v5.13.4 by the vendor by adding purify::clean() to sanitize Markdown output.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CVSS Score: 5.4

Attack Vector	Network	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	Low
Privileges Required	Low	Integrity Impact	Low
User Interaction	Required	Availability Impact	None

CVSS 3.1

Product Status

Vendor	invoiceninja
Product	invoiceninja
Versions	Version < 5.13.4 is affected

References

Problem Types

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE