SpirityCVE

Invoice Ninja is a source-available invoice, quote, project and time-tracking app built with Laravel. Product notes fields in Invoice Ninja v5.13.0 allow raw HTML via Markdown rendering, enabling stored XSS. The Markdown parser output was not sanitized with `purify::clean()` before being included in invoice templates. This is fixed in v5.13.4 by the vendor by adding `purify::clean()` to sanitize Markdown output.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

No data.

References

Link	Providers
https://www.spirityenterprise.com/pentest
https://www.spirityenterprise.com/managed-detection-response
https://github.com/invoiceninja/invoiceninja/releases/tag/v5.13.4
https://github.com/invoiceninja/invoiceninja/security/advisories/GHSA-xph7-9749-56mh

History

Thu, 26 Mar 2026 21:15:00 +0000

Type	Values Removed	Values Added
Description		Invoice Ninja is a source-available invoice, quote, project and time-tracking app built with Laravel. Product notes fields in Invoice Ninja v5.13.0 allow raw HTML via Markdown rendering, enabling stored XSS. The Markdown parser output was not sanitized with `purify::clean()` before being included in invoice templates. This is fixed in v5.13.4 by the vendor by adding `purify::clean()` to sanitize Markdown output.
Title		Invoice Ninja has Stored XSS via Markdown HTML Injection in Product Notes
Weaknesses		CWE-79
References		https://github.com/invoiceninja/invoiceninja/releases/tag/v5.13.4 https://github.com/invoiceninja/invoiceninja/security/advisories/GHSA-xph7-9749-56mh
Metrics		cvssV3_1 `{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-26T20:50:21.984Z

Updated: 2026-03-26T20:50:21.984Z

Reserved: 2026-03-23T17:34:57.561Z

Link: CVE-2026-33742

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-03-26T21:17:08.273

Modified: 2026-03-26T21:17:08.273

Link: CVE-2026-33742

Redhat

No data.

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object