PatchSiren cyber security CVE debrief
CVE-2026-46489 SolidInvoice CVE debrief
CVE-2026-46489 is a high-severity vulnerability in SolidInvoice, an open-source invoicing platform. An authenticated administrator can upload an SVG file with a malicious JavaScript payload, which is then injected into every page of the application, causing stored cross-site scripting (XSS) that executes in every authenticated user's browser. This issue was patched in version 2.3.17.
- Vendor
- SolidInvoice
- Product
- Unknown
- CVSS
- HIGH 8.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-11
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-11
- Advisory updated
- 2026-06-12
Who should care
Administrators and users of SolidInvoice versions prior to 2.3.17 should apply the patch to prevent exploitation of this vulnerability.
Technical summary
The company logo upload feature in SolidInvoice accepts any file type without validation, allowing an authenticated administrator to upload an SVG file containing embedded JavaScript. This script is base64-encoded and injected unescaped into every page of the application, causing stored cross-site scripting (XSS) that executes in every authenticated user's browser.
Defensive priority
HIGH
Recommended defensive actions
- Apply the patch by updating to SolidInvoice version 2.3.17 or later.
- Restrict file uploads to only accept specific, validated file types.
- Monitor for suspicious activity and implement additional security measures to prevent exploitation.
Evidence notes
CVE-2026-46489 has a CVSS score of 8.1 and is classified as HIGH severity. The vulnerability was published on 2026-06-11T20:16:23.240Z and modified on 2026-06-12T11:16:22.853Z.
Official resources
CVE-2026-46489 was published on 2026-06-11T20:16:23.240Z and modified on 2026-06-12T11:16:22.853Z.