SolidInvoice CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

HIGH SolidInvoice CVE published 2026-06-11

CVE-2026-46622

CVE-2026-46622 is a high-severity vulnerability in SolidInvoice, an open-source invoicing platform. Prior to version 2.3.17, API tokens used to authenticate all REST API requests were stored as plaintext strings in the api_tokens database table. This allowed any attacker with read access to the database — through SQL injection, a leaked backup, a misconfigured replica, or insider access — to immediately o [truncated]

HIGH SolidInvoice CVE published 2026-06-11

CVE-2026-46489

CVE-2026-46489 is a high-severity vulnerability in SolidInvoice, an open-source invoicing platform. An authenticated administrator can upload an SVG file with a malicious JavaScript payload, which is then injected into every page of the application, causing stored cross-site scripting (XSS) that executes in every authenticated user's browser. This issue was patched in version 2.3.17.