CVE-2026-0649

Name of the Vulnerable Software and Affected Versions invoiceninja versions prior to 5.12.38

Description A security issue exists in invoiceninja. The issue involves server-side request forgery (SSRF) stemming from manipulation of the company logo argument within the copy function of the /app/Jobs/Util/Import.php file, part of the Migration Import component. This allows for remote exploitation. The details of the issue have been publicly disclosed.

Recommendations Update invoiceninja to version 5.12.38 or later.