NVD Vulnerability Detail

Search Exploit, PoC

NVD脆弱性検索トップ

->

NVD Vulnerability Detail

CVE-2026-46489

Summary	SolidInvoice is an open-source invoicing platform. Prior to version 2.3.17, the company logo upload feature accepts any file type without validation. An authenticated administrator can upload an SVG file containing embedded JavaScript. This script is base64-encoded and injected unescaped into every page of the application, causing stored cross-site scripting (XSS) that executes in every authenticated user's browser. This issue has been patched in version 2.3.17.
Publication Date	June 12, 2026, 5:16 a.m.
Registration Date	June 13, 2026, 4:15 a.m.
Last Update	June 12, 2026, 8:16 p.m.

CVSS3.1 : HIGH
スコア	8.1
Vector	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N
攻撃元区分(AV)	ネットワーク
攻撃条件の複雑さ(AC)	低
攻撃に必要な特権レベル(PR)	高
利用者の関与(UI)	要
影響の想定範囲(S)	変更あり
機密性への影響(C)	高
完全性への影響(I)	高
可用性への影響(A)	なし

Related information, measures and tools

No	URL	refsource	タグ
1	https://github.com/SolidInvoice/SolidInvoice/commit/8196c64df58b1226739f6ec4097fd6e7ba757860	security-advisories@github.com
2	https://github.com/SolidInvoice/SolidInvoice/releases/tag/2.3.17	security-advisories@github.com
3	https://github.com/SolidInvoice/SolidInvoice/security/advisories/GHSA-mqwm-r4g8-wf4w	security-advisories@github.com
4	https://github.com/SolidInvoice/SolidInvoice/security/advisories/GHSA-mqwm-r4g8-wf4w	134c704f-9b21-4f2e-91b3-4a467353bcc0

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-79	クロスサイト・スクリプティング（XSS）	https://cwe.mitre.org/data/definitions/79.html
2	CWE-434	危険なタイプのファイルの無制限アップロード	https://cwe.mitre.org/data/definitions/434.html