CVE-2026-33742

by Fred · 26/03/2026

Invoice Ninja is a source-available invoice, quote, project and time-tracking app built with Laravel. Product notes fields in Invoice Ninja v5.13.0 allow raw HTML via Markdown rendering, enabling stored XSS. The Markdown parser output was not sanitized with `purify::clean()` before being included in invoice templates. This is fixed in v5.13.4 by the vendor by adding `purify::clean()` to sanitize Markdown output.

More information : https://github.com/invoiceninja/invoiceninja/releases/tag/v5.13.4

CVE-2026-33742

Similar

Recent Posts

Categories

CVE-2026-33742

Share this:

Similar

Recent Posts

Categories

Tags