CVE-2026-33742

low-risk
Published 2026-03-26

Invoice Ninja is a source-available invoice, quote, project and time-tracking app built with Laravel. Product notes fields in Invoice Ninja v5.13.0 allow raw HTML via Markdown rendering, enabling stored XSS. The Markdown parser output was not sanitized with `purify::clean()` before being included in invoice templates. This is fixed in v5.13.4 by the vendor by adding `purify::clean()` to sanitize Markdown output.

Do I need to act?

-
0.03% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.4/10 Medium
NETWORK / LOW complexity

Affected Products (1)

Invoice Ninja

Affected Vendors

Invoiceninja

References (3)

Release Notes https://github.com/invoiceninja/invoiceninja/releases/tag/v5.13.4
Exploit https://github.com/invoiceninja/invoiceninja/security/advisories/GHSA-xph7-9749-...
Exploit https://github.com/invoiceninja/invoiceninja/security/advisories/GHSA-xph7-9749-...
26
/ 100
low-risk
Severity 21/34 · High
Exploitability 0/34 · Minimal
Exposure 5/34 · Minimal