CVE-2026-46489
Deferred Deferred - Pending Action
Stored XSS in SolidInvoice via Malicious SVG Upload

Publication date: 2026-06-11

Last updated on: 2026-06-11

Assigner: GitHub, Inc.

Description
SolidInvoice is an open-source invoicing platform. Prior to version 2.3.17, the company logo upload feature accepts any file type without validation. An authenticated administrator can upload an SVG file containing embedded JavaScript. This script is base64-encoded and injected unescaped into every page of the application, causing stored cross-site scripting (XSS) that executes in every authenticated user's browser. This issue has been patched in version 2.3.17.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-11
Last Modified
2026-06-11
Generated
2026-06-12
AI Q&A
2026-06-12
EPSS Evaluated
N/A
NVD
CVE-2026-46489
EUVD
EUVD-2026-36303
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
solidinvoice solidinvoice to 2.3.17 (exc)
solidinvoice solidinvoice 2.3.17
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-46489 is a stored cross-site scripting (XSS) vulnerability in the SolidInvoice invoicing platform prior to version 2.3.17. The vulnerability occurs because the company logo upload feature accepts SVG files without validating their content. An authenticated administrator can upload an SVG file containing embedded JavaScript, which is base64-encoded and injected unescaped into every page of the application. This causes the malicious script to execute in the browsers of all authenticated users.

Impact Analysis

This vulnerability can have severe impacts including session hijacking, cross-site request forgery (CSRF) chain attacks, credential harvesting, and full account takeover for all users of the application. Since the malicious script executes in every authenticated user's browser, an attacker can steal session cookies and other sensitive information, potentially compromising the entire user base.

Detection Guidance

This vulnerability can be detected by checking if an authenticated administrator has uploaded an SVG file containing embedded JavaScript as the company logo in SolidInvoice versions prior to 2.3.17.

Since the malicious SVG is stored in the settings table and rendered unescaped in every page, you can inspect the logo upload settings or database entries for SVG files containing suspicious base64-encoded JavaScript.

Commands to detect this might include querying the database for SVG files in the logo settings or searching web server logs for suspicious requests related to logo uploads.

  • Use SQL queries to check the settings table for SVG content, e.g., `SELECT * FROM settings WHERE logo LIKE '%.svg%'`.
  • Search for base64-encoded JavaScript patterns in the logo data, e.g., `grep -r 'base64' /path/to/solidinvoice/data`.
  • Monitor web server logs for POST requests to the logo upload endpoint by authenticated administrators.
Mitigation Strategies

The immediate mitigation step is to upgrade SolidInvoice to version 2.3.17 or later, where the vulnerability has been patched.

This update includes validation of logo uploads to restrict file types to JPEG, PNG, GIF, and WebP, explicitly excluding SVG files to prevent embedded JavaScript execution.

If upgrading immediately is not possible, restrict administrator access to the logo upload feature and remove any existing SVG logos from the system.

Additionally, review and monitor for any suspicious activity related to logo uploads and consider applying manual validation or blocking of SVG uploads at the web server or application firewall level.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46489. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart