CVE-2026-33742

Name of the Vulnerable Software and Affected Versions Invoice Ninja versions 5.13.0 through 5.13.3

Description Invoice Ninja, an invoice, quote, project, and time-tracking application built with Laravel, has an issue where the product notes fields in versions 5.13.0 through 5.13.3 allow raw HTML through Markdown rendering, potentially leading to stored cross-site scripting (XSS). The Markdown parser's output was not properly sanitized using the purify::clean() function before being included in invoice templates. This could allow an attacker to inject malicious code into the system.

Recommendations Update to version 5.13.4 or later.