CVE Catalog

CVE-2026-46489

HighCVSS 8.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.03%

9th percentile - higher than 9% of all known CVEs

Summary

SolidInvoice is an open-source invoicing platform. Prior to version 2.3.17, the company logo upload feature accepted any file type without validation, allowing SVG files with embedded JavaScript to be uploaded.

Risk Assessment

The risk involves the potential for stored cross-site scripting (XSS) attacks that can affect all authenticated users of the application, exposing them to data theft or other malicious actions.

Recommendation

It is recommended to upgrade to version 2.3.17 or later to mitigate this vulnerability and implement additional file upload validation mechanisms.

Original NVD description (English source)

SolidInvoice is an open-source invoicing platform. Prior to version 2.3.17, the company logo upload feature accepts any file type without validation. An authenticated administrator can upload an SVG file containing embedded JavaScript. This script is base64-encoded and injected unescaped into every page of the application, causing stored cross-site scripting (XSS) that executes in every authenticated user's browser. This issue has been patched in version 2.3.17.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS