CVE-2026-46489
Deferred Deferred - Pending Action

Stored XSS in SolidInvoice via Malicious SVG Upload

Vulnerability report for CVE-2026-46489, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-11

Last updated on: 2026-06-12

Assigner: GitHub, Inc.

Description

SolidInvoice is an open-source invoicing platform. Prior to version 2.3.17, the company logo upload feature accepts any file type without validation. An authenticated administrator can upload an SVG file containing embedded JavaScript. This script is base64-encoded and injected unescaped into every page of the application, causing stored cross-site scripting (XSS) that executes in every authenticated user's browser. This issue has been patched in version 2.3.17.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-11
Last Modified
2026-06-12
Generated
2026-07-02
AI Q&A
2026-06-12
EPSS Evaluated
2026-06-30
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
solidinvoice solidinvoice to 2.3.17 (exc)
solidinvoice solidinvoice 2.3.17

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-46489 is a stored cross-site scripting (XSS) vulnerability in the SolidInvoice invoicing platform prior to version 2.3.17. The vulnerability occurs because the company logo upload feature accepts SVG files without validating their content. An authenticated administrator can upload an SVG file containing embedded JavaScript, which is base64-encoded and injected unescaped into every page of the application. This causes the malicious script to execute in the browsers of all authenticated users.

Impact Analysis

This vulnerability can have severe impacts including session hijacking, cross-site request forgery (CSRF) chain attacks, credential harvesting, and full account takeover for all users of the application. Since the malicious script executes in every authenticated user's browser, an attacker can steal session cookies and other sensitive information, potentially compromising the entire user base.

Detection Guidance

This vulnerability can be detected by checking if an authenticated administrator has uploaded an SVG file containing embedded JavaScript as the company logo in SolidInvoice versions prior to 2.3.17.

Since the malicious SVG is stored in the settings table and rendered unescaped in every page, you can inspect the logo upload settings or database entries for SVG files containing suspicious base64-encoded JavaScript.

Commands to detect this might include querying the database for SVG files in the logo settings or searching web server logs for suspicious requests related to logo uploads.

  • Use SQL queries to check the settings table for SVG content, e.g., `SELECT * FROM settings WHERE logo LIKE '%.svg%'`.
  • Search for base64-encoded JavaScript patterns in the logo data, e.g., `grep -r 'base64' /path/to/solidinvoice/data`.
  • Monitor web server logs for POST requests to the logo upload endpoint by authenticated administrators.
Mitigation Strategies

The immediate mitigation step is to upgrade SolidInvoice to version 2.3.17 or later, where the vulnerability has been patched.

This update includes validation of logo uploads to restrict file types to JPEG, PNG, GIF, and WebP, explicitly excluding SVG files to prevent embedded JavaScript execution.

If upgrading immediately is not possible, restrict administrator access to the logo upload feature and remove any existing SVG logos from the system.

Additionally, review and monitor for any suspicious activity related to logo uploads and consider applying manual validation or blocking of SVG uploads at the web server or application firewall level.

Compliance Impact

The vulnerability allows stored cross-site scripting (XSS) that can lead to session hijacking, credential harvesting, and full account takeover for all users. This can result in unauthorized access to sensitive personal and financial data managed by the invoicing platform.

Such unauthorized access and potential data breaches could violate data protection regulations like GDPR and HIPAA, which require safeguarding personal and health information against unauthorized access and ensuring data integrity and confidentiality.

Therefore, this vulnerability poses a significant risk to compliance with these standards by exposing sensitive user data to attackers through exploitation of the stored XSS flaw.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46489. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart