CVE-2026-33628

Name of the Vulnerable Software and Affected Versions Invoice Ninja versions 5.13.0 through 5.13.3

Description Invoice Ninja allows for the execution of stored cross-site scripting (XSS) payloads through invoice line item descriptions in versions 5.13.0 through 5.13.3. The line item description field did not undergo proper sanitization using purify::clean() before rendering, enabling attackers to inject malicious code. An attacker, any authenticated user capable of creating invoices, can exploit this to target any user viewing the invoice, including clients accessing the portal. Potential consequences include session hijacking, account takeover, and data exfiltration. The vulnerable parameter is the line item description field. The vulnerable function is the rendering process of invoices in the PDF preview and client portal.

Recommendations Upgrade to version 5.13.4 or later to benefit from the fix, which implements purify::clean() to sanitize line item descriptions.