CVE-2026-46489 HIGH

CVE-2026-46489: SolidInvoice: Unrestricted file upload with no MIME validation allows stored XSS via malicious SVG logo

Vendor Solidinvoice

Product SolidInvoice

Weakness CWE-79 · XSS

Published June 11, 2026

Last update June 12, 2026

View on NVD All CVEs

CVSS base score

8.1/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction Required

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N

What the vulnerability does

01Description

SolidInvoice is an open-source invoicing platform. Prior to version 2.3.17, the company logo upload feature accepts any file type without validation. An authenticated administrator can upload an SVG file containing embedded JavaScript. This script is base64-encoded and injected unescaped into every page of the application, causing stored cross-site scripting (XSS) that executes in every authenticated user's browser. This issue has been patched in version 2.3.17.

Key dates

02Disclosure timeline

June 11, 2026 CVE published

June 12, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-46489

Related vulnerabilities

CVE-2026-46489: SolidInvoice: Unrestricted file upload with no MIME validation allows stored XSS via malicious SVG logo

01Description

02Disclosure timeline

03References

04Related CVE