Unrated severityNVD Advisory· Published Mar 26, 2026· Updated Mar 27, 2026

Invoice Ninja has Stored XSS via Markdown HTML Injection in Product Notes

CVE-2026-33742

Description

Invoice Ninja is a source-available invoice, quote, project and time-tracking app built with Laravel. Product notes fields in Invoice Ninja v5.13.0 allow raw HTML via Markdown rendering, enabling stored XSS. The Markdown parser output was not sanitized with purify::clean() before being included in invoice templates. This is fixed in v5.13.4 by the vendor by adding purify::clean() to sanitize Markdown output.

Affected products

Invoiceninja/Invoiceninjav5
Range: < 5.13.4

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/invoiceninja/invoiceninja/releases/tag/v5.13.4mitrex_refsource_MISC
github.com/invoiceninja/invoiceninja/security/advisories/GHSA-xph7-9749-56mhmitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000