CVE-2026-33628: Invoice Ninja Denylist Bypass may Lead to Stored XSS via Invoice Line Items
(updated )
- Attacker: Any authenticated user who can create invoices
- Victim: Any user viewing the invoice (including clients via the portal)
- Specific damage: Session hijacking, account takeover, data exfiltration
References
- github.com/advisories/GHSA-98wm-cxpw-847p
- github.com/invoiceninja/invoiceninja
- github.com/invoiceninja/invoiceninja/commit/b81a3fc302573fc4a53d61e8537dd19154ce1091
- github.com/invoiceninja/invoiceninja/releases/tag/v5.13.4
- github.com/invoiceninja/invoiceninja/security/advisories/GHSA-98wm-cxpw-847p
- nvd.nist.gov/vuln/detail/CVE-2026-33628
Code Behaviors & Features
Detect and mitigate CVE-2026-33628 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →