{"id":"CVE-2026-33628","summary":"Invoice Ninja Denylist Bypass may Lead to Stored XSS via Invoice Line Items","details":"Invoice Ninja is a source-available invoice, quote, project and time-tracking app built with Laravel. Invoice line item descriptions in Invoice Ninja v5.13.0 bypass the XSS denylist filter, allowing stored XSS payloads to execute when invoices are rendered in the PDF preview or client portal. The line item description field was not passed through `purify::clean()` before rendering. This is fixed in v5.13.4 by the vendor by adding `purify::clean()` to sanitize line item descriptions.","aliases":["GHSA-98wm-cxpw-847p"],"modified":"2026-04-10T05:42:53.450028Z","published":"2026-03-26T20:48:45.739Z","database_specific":{"cwe_ids":["CWE-116","CWE-184","CWE-79"],"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33628.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33628.json"},{"type":"FIX","url":"https://github.com/invoiceninja/invoiceninja/commit/b81a3fc302573fc4a53d61e8537dd19154ce1091"},{"type":"WEB","url":"https://github.com/invoiceninja/invoiceninja/releases/tag/v5.13.4"},{"type":"ADVISORY","url":"https://github.com/invoiceninja/invoiceninja/security/advisories/GHSA-98wm-cxpw-847p"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33628"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/invoiceninja/invoiceninja","events":[{"introduced":"0"},{"fixed":"5ff2095eafe4a891807e4be7a91e1bfb8e56269c"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"5.13.4"}]}}],"versions":["5.8.56","v5.0","v5.0.1","v5.0.10","v5.0.12","v5.0.12-release","v5.0.13","v5.0.13-release","v5.0.16","v5.0.16-release","v5.0.17","v5.0.17-release","v5.0.2","v5.0.23","v5.0.3","v5.0.4","v5.0.5","v5.0.6","v5.0.7","v5.0.8","v5.0.9","v5.10.0","v5.10.1","v5.10.10","v5.10.11","v5.10.12","v5.10.13","v5.10.14","v5.10.15","v5.10.16","v5.10.17","v5.10.18","v5.10.19","v5.10.2","v5.10.20","v5.10.21","v5.10.22","v5.10.23","v5.10.24","v5.10.25","v5.10.26","v5.10.27","v5.10.28","v5.10.29","v5.10.3","v5.10.30","v5.10.31","v5.10.32","v5.10.33","v5.10.34","v5.10.35","v5.10.36","v5.10.37","v5.10.38","v5.10.39","v5.10.4","v5.10.40","v5.10.41","v5.10.42","v5.10.43","v5.10.44","v5.10.45","v5.10.46","v5.10.47","v5.10.48","v5.10.49","v5.10.5","v5.10.50","v5.10.51","v5.10.52","v5.10.53","v5.10.54","v5.10.55","v5.10.56","v5.10.57","v5.10.58","v5.10.59","v5.10.6","v5.10.60","v5.10.61","v5.10.62","v5.10.7","v5.10.8","v5.10.9","v5.11.0","v5.11.1","v5.11.10","v5.11.11","v5.11.12","v5.11.13","v5.11.14","v5.11.15","v5.11.16","v5.11.17","v5.11.18","v5.11.19","v5.11.2","v5.11.20","v5.11.21","v5.11.22","v5.11.23","v5.11.24","v5.11.25","v5.11.26","v5.11.27","v5.11.28","v5.11.29","v5.11.3","v5.11.30","v5.11.31","v5.11.32","v5.11.33","v5.11.34","v5.11.35","v5.11.36","v5.11.37","v5.11.38","v5.11.39","v5.11.4","v5.11.40","v5.11.41","v5.11.42","v5.11.43","v5.11.44","v5.11.44a","v5.11.45","v5.11.46","v5.11.48","v5.11.49","v5.11.5","v5.11.50","v5.11.51","v5.11.52","v5.11.53","v5.11.54","v5.11.55","v5.11.56","v5.11.57","v5.11.58","v5.11.59","v5.11.6","v5.11.60","v5.11.61","v5.11.62","v5.11.63","v5.11.64","v5.11.65","v5.11.66","v5.11.67","v5.11.68","v5.11.69","v5.11.7","v5.11.70","v5.11.71","v5.11.72","v5.11.73","v5.11.74","v5.11.75","v5.11.76","v5.11.77","v5.11.78","v5.11.79","v5.11.8","v5.11.80","v5.11.81","v5.11.82","v5.11.9","v5.12.0","v5.12.1","v5.12.10","v5.12.11","v5.12.12","v5.12.13","v5.12.14","v5.12.15","v5.12.16","v5.12.17","v5.12.18","v5.12.19","v5.12.2","v5.12.20","v5.12.21","v5.12.22","v5.12.23","v5.12.24","v5.12.25","v5.12.26","v5.12.27","v5.12.28","v5.12.29","v5.12.3","v5.12.30","v5.12.31","v5.12.32","v5.12.33","v5.12.34","v5.12.35","v5.12.36","v5.12.37","v5.12.38","v5.12.39","v5.12.4","v5.12.40","v5.12.41","v5.12.43","v5.12.44","v5.12.45","v5.12.46","v5.12.47","v5.12.48","v5.12.5","v5.12.50","v5.12.51","v5.12.52","v5.12.53","v5.12.54","v5.12.55","v5.12.56","v5.12.57","v5.12.58","v5.12.59","v5.12.6","v5.12.60","v5.12.61","v5.12.62","v5.12.63","v5.12.64","v5.12.65","v5.12.66","v5.12.67","v5.12.68","v5.12.69","v5.12.7","v5.12.70","v5.12.8","v5.12.9","v5.13.0","v5.13.1","v5.13.2","v5.13.3","v5.5.100","v5.5.101","v5.5.102","v5.5.103","v5.5.104","v5.5.105","v5.5.106","v5.5.107","v5.5.108","v5.5.109","v5.5.110","v5.5.111","v5.5.112","v5.5.113","v5.5.114","v5.5.115","v5.5.116","v5.5.117","v5.5.118","v5.5.119","v5.5.120","v5.5.121","v5.5.122","v5.5.123","v5.5.124","v5.5.71","v5.5.73","v5.5.74","v5.5.75","v5.5.76","v5.5.77","v5.5.78","v5.5.79","v5.5.80","v5.5.81","v5.5.82","v5.5.83","v5.5.84","v5.5.85","v5.5.86","v5.5.87","v5.5.88","v5.5.89","v5.5.90","v5.5.91","v5.5.92","v5.5.93","v5.5.94","v5.5.95","v5.5.96","v5.5.97","v5.5.98","v5.5.99","v5.6.0","v5.6.1","v5.6.10","v5.6.11","v5.6.12","v5.6.2","v5.6.3","v5.6.4","v5.6.5","v5.6.6","v5.6.7","v5.6.8","v5.6.9","v5.7.10","v5.7.11","v5.7.12","v5.7.13","v5.7.14","v5.7.15","v5.7.16","v5.7.17","v5.7.18","v5.7.19","v5.7.20","v5.7.21","v5.7.22","v5.7.23","v5.7.24","v5.7.25","v5.7.26","v5.7.27","v5.7.28","v5.7.29","v5.7.30","v5.7.31","v5.7.32","v5.7.33","v5.7.34","v5.7.35","v5.7.36","v5.7.37","v5.7.38","v5.7.39","v5.7.40","v5.7.41","v5.7.42","v5.7.43","v5.7.44","v5.7.45","v5.7.46","v5.7.47","v5.7.48","v5.7.49","v5.7.50","v5.7.51","v5.7.52","v5.7.53","v5.7.54","v5.7.55","v5.7.56","v5.7.57","v5.7.58","v5.7.59","v5.7.60","v5.7.61","v5.7.62","v5.7.63","v5.7.7","v5.7.8","v5.7.9","v5.8.0","v5.8.1","v5.8.10","v5.8.11","v5.8.12","v5.8.13","v5.8.14","v5.8.15","v5.8.16","v5.8.17","v5.8.18","v5.8.19","v5.8.2","v5.8.20","v5.8.21","v5.8.22","v5.8.23","v5.8.24","v5.8.25","v5.8.26","v5.8.27","v5.8.28","v5.8.29","v5.8.3","v5.8.30","v5.8.31","v5.8.32","v5.8.33","v5.8.34","v5.8.35","v5.8.36","v5.8.37","v5.8.38","v5.8.39","v5.8.4","v5.8.40","v5.8.41","v5.8.42","v5.8.43","v5.8.44","v5.8.45","v5.8.46","v5.8.47","v5.8.48","v5.8.49","v5.8.5","v5.8.50","v5.8.51","v5.8.52","v5.8.53","v5.8.54","v5.8.55","v5.8.56","v5.8.57","v5.8.6","v5.8.7","v5.8.8","v5.8.9","v5.9.0","v5.9.1","v5.9.2","v5.9.3","v5.9.4","v5.9.5","v5.9.6","v5.9.7","v5.9.8","v5.9.9"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33628.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}]}