Publish GHSA-98wm-cxpw-847p

advisory-database[bot] · advisory-database[bot] · commit 24d25420fe62 · 2026-03-24T20:42:00.000Z
diff --git a/advisories/github-reviewed/2026/03/GHSA-98wm-cxpw-847p/GHSA-98wm-cxpw-847p.json b/advisories/github-reviewed/2026/03/GHSA-98wm-cxpw-847p/GHSA-98wm-cxpw-847p.json
@@ -0,0 +1,67 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-98wm-cxpw-847p",
+  "modified": "2026-03-24T20:40:16Z",
+  "published": "2026-03-24T20:40:16Z",
+  "aliases": [
+    "CVE-2026-33628"
+  ],
+  "summary": "Invoice Ninja Denylist Bypass may Lead to Stored XSS via Invoice Line Items",
+  "details": "## Vulnerability Details\n\nInvoice line item descriptions in Invoice Ninja v5.13.0 bypass the XSS denylist filter, allowing stored XSS payloads to execute when invoices are rendered in the PDF preview or client portal.\n\nThe line item description field was not passed through `purify::clean()` before rendering.\n\n## Steps to Reproduce\n\n1. Login as any authenticated user\n2. Create or edit an invoice\n3. In a line item description, enter: `<img src=x onerror=alert(document.cookie)>`\n4. Save the invoice and preview it\n5. The XSS payload executes in the browser\n\n## Impact\n\n- **Attacker**: Any authenticated user who can create invoices\n- **Victim**: Any user viewing the invoice (including clients via the portal)\n- **Specific damage**: Session hijacking, account takeover, data exfiltration\n\n## Proposed Fix\n\nFixed in v5.13.4 by the vendor by adding `purify::clean()` to sanitize line item descriptions.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "invoiceninja/invoiceninja"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "5.13.4"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/invoiceninja/invoiceninja/security/advisories/GHSA-98wm-cxpw-847p"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/invoiceninja/invoiceninja/commit/b81a3fc302573fc4a53d61e8537dd19154ce1091"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/invoiceninja/invoiceninja"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/invoiceninja/invoiceninja/releases/tag/v5.13.4"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-116",
+      "CWE-184",
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-24T20:40:16Z",
+    "nvd_published_at": null
+  }
+}
