CVE-2026-46489
HighCVSS 8.1Exploitation Probability (EPSS)
Low risk9th percentile - higher than 9% of all known CVEs
Summary
SolidInvoice is an open-source invoicing platform. Prior to version 2.3.17, the company logo upload feature accepted any file type without validation, allowing SVG files with embedded JavaScript to be uploaded.
Risk Assessment
The risk involves the potential for stored cross-site scripting (XSS) attacks that can affect all authenticated users of the application, exposing them to data theft or other malicious actions.
Recommendation
It is recommended to upgrade to version 2.3.17 or later to mitigate this vulnerability and implement additional file upload validation mechanisms.
Original NVD description (English source)
SolidInvoice is an open-source invoicing platform. Prior to version 2.3.17, the company logo upload feature accepts any file type without validation. An authenticated administrator can upload an SVG file containing embedded JavaScript. This script is base64-encoded and injected unescaped into every page of the application, causing stored cross-site scripting (XSS) that executes in every authenticated user's browser. This issue has been patched in version 2.3.17.

