CVE-2026-46489 - Vulnerability Details

CVE-2026-46489 - SolidInvoice: Unrestricted file upload with no MIME validation allows stored XSS via malicious SVG logo

SolidInvoice is an open-source invoicing platform. Prior to version 2.3.17, the company logo upload feature accepts any file type without validation. An authenticated administrator can upload an SVG file containing embedded JavaScript. This script is base64-encoded and injected unescaped into every page of the application, causing stored cross-site scripting (XSS) that executes in every authenticated user's browser. This issue has been patched in version 2.3.17.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation poc

Automatable no

Technical Impact total

Vendors	Products
Solidinvoice	Solidinvoice

No data.

References

Link	Providers
https://github.com/SolidInvoice/SolidInvoice/commit/8196c64df58b1226739f6ec4097fd6e7ba757860
https://github.com/SolidInvoice/SolidInvoice/releases/tag/2.3.17
https://github.com/SolidInvoice/SolidInvoice/security/advisories/GHSA-mqwm-r4g8-wf4w

History

Fri, 12 Jun 2026 11:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 11 Jun 2026 22:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Solidinvoice Solidinvoice solidinvoice
Vendors & Products		Solidinvoice Solidinvoice solidinvoice

Thu, 11 Jun 2026 20:00:00 +0000

Type	Values Removed	Values Added
Description		SolidInvoice is an open-source invoicing platform. Prior to version 2.3.17, the company logo upload feature accepts any file type without validation. An authenticated administrator can upload an SVG file containing embedded JavaScript. This script is base64-encoded and injected unescaped into every page of the application, causing stored cross-site scripting (XSS) that executes in every authenticated user's browser. This issue has been patched in version 2.3.17.
Title		SolidInvoice: Unrestricted file upload with no MIME validation allows stored XSS via malicious SVG logo
Weaknesses		CWE-434 CWE-79
References		https://github.com/SolidInvoice/SolidInvoice/commit/8196c64df58b1226739f6ec4097fd6e7ba757860 https://github.com/SolidInvoice/SolidInvoice/releases/tag/2.3.17 https://github.com/SolidInvoice/SolidInvoice/security/advisories/GHSA-mqwm-r4g8-wf4w
Metrics		cvssV3_1 `{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-06-11T18:55:44.418Z

Updated: 2026-06-12T10:31:29.970Z

Reserved: 2026-05-14T18:06:06.811Z

Link: CVE-2026-46489

Vulnrichment

Updated: 2026-06-12T10:31:01.002Z

NVD

Status : Deferred

Published: 2026-06-11T20:16:23.240

Modified: 2026-06-12T11:16:22.853

Link: CVE-2026-46489

Redhat

No data.

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

Exploitation poc

Automatable no

Technical Impact total

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object