CVE-2026-46489
Published: Thu, 11 Jun 2026 20:16
Summary
SolidInvoice is an open-source invoicing platform. Prior to version 2.3.17, the company logo upload feature accepts any file type without validation. An authenticated administrator can upload an SVG f
Details
SolidInvoice is an open-source invoicing platform. Prior to version 2.3.17, the company logo upload feature accepts any file type without validation. An authenticated administrator can upload an SVG file containing embedded JavaScript. This script is base64-encoded and injected unescaped into every page of the application, causing stored cross-site scripting (XSS) that executes in every authenticated user's browser. This issue has been patched in version 2.3.17.
Are YOU affected by CVE-2026-46489?
5-second check on your actual server. Reads /etc/os-release, uname -r, and dpkg-query; matches against the live USN + Debian Security Tracker feeds; tells you whether CVE-2026-46489 (and any other live CVE) applies. Anonymous, no signup.
curl https://mindsparkstack.com/scan.sh | bash
References
- https://github.com/SolidInvoice/SolidInvoice/commit/8196c64df58b1226739f6ec4097fd6e7ba757860
- https://github.com/SolidInvoice/SolidInvoice/releases/tag/2.3.17
- https://github.com/SolidInvoice/SolidInvoice/security/advisories/GHSA-mqwm-r4g8-wf4w
- https://github.com/SolidInvoice/SolidInvoice/security/advisories/GHSA-mqwm-r4g8-wf4w
StackPatch runs this match against YOUR installed packages every hour
Free (3 servers) / from $9/mo (14-day free trial) / Solo $9/mo / Pro $29/mo / Team $79/mo. Indie pricing.