CVE-2026-46489

Published Jun 11, 2026

Last updated 2 days ago

CVSS high 8.1

Overview

Description
SolidInvoice is an open-source invoicing platform. Prior to version 2.3.17, the company logo upload feature accepts any file type without validation. An authenticated administrator can upload an SVG file containing embedded JavaScript. This script is base64-encoded and injected unescaped into every page of the application, causing stored cross-site scripting (XSS) that executes in every authenticated user's browser. This issue has been patched in version 2.3.17.
Source
security-advisories@github.com
NVD status
Deferred

Risk scores

CVSS 3.1

Type
Secondary
Base score
8.1
Impact score
5.8
Exploitability score
1.7
Vector string
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N
Severity
HIGH

Weaknesses

security-advisories@github.com
CWE-79

Social media

Hype score
Not currently trending

References

Sources include official advisories and independent security research.