How is CVE-2026-46489 exploited?

Network reachability (required): The attacker must reach the SolidInvoice web interface over the network to upload the malicious SVG file. Authentication (required): An administrator-level account is required; a low-privilege user cannot access the logo upload feature. Victim interaction (required): Victim users must load any page of the application in their browser for the injected JavaScript to execute, which happens automatically during normal authenticated use. Attack complexity (info): The exploit is reliable and condition-free once admin access is obtained; no race conditions or special environmental factors are needed.

What is the impact of CVE-2026-46489?

Reads authenticated session tokens from any user who loads a page, enabling account takeover across the entire user base. Executes arbitrary JavaScript in the browser context of every authenticated user, allowing form submission, data exfiltration, or credential harvesting on their behalf. Modifies page content as rendered in victims' browsers, enabling phishing overlays or redirection to attacker-controlled sites.

Back to search

HIGHCVE-2026-46489Published 2026-06-11Modified 2026-06-12CNA GitHub_M

CVE-2026-46489: SolidInvoice: Unrestricted file upload with no MIME validation allows stored XSS via malicious SVG logo

SolidInvoice is an open-source invoicing platform. Prior to version 2.3.17, the company logo upload feature accepts any file type without validation. An authenticated administrator can upload an SVG file containing embedded JavaScript. This script is base64-encoded and injected unescaped into every page of the application, causing stored cross-site scripting (XSS) that executes in every authenticated user's browser. This issue has been patched in version 2.3.17.

CVSS v3.1: 8.1
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a stored cross-site scripting (XSS) vulnerability in SolidInvoice, an open-source invoicing platform. An authenticated administrator can upload a malicious SVG file as the company logo; because the application performs no file type or MIME validation, embedded JavaScript in the SVG is injected unescaped into every page and executes in the browser of every authenticated user who visits the application. Successful exploitation allows an attacker to run arbitrary JavaScript in victims' sessions, enabling credential theft, account takeover, or unauthorized actions on behalf of affected users. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection for CVE-2026-46489 is available across every HarborGuard environment; the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built images derived from SolidInvoice base layers.

Available

Triage

HarborGuard scores this CVE at 8.1 HIGH using the CVSS v3.1 vector and weights it against each customer environment's compliance policy to determine urgency and routing, surfacing findings to the appropriate team inbox within each organization.

Available

Patch

No fix version has been published upstream for CVE-2026-46489; HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers with auto-remediation enabled, a rebuilt image, regression-test run, and a pull request against affected workloads will be generated without manual intervention once the fix ships.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the SolidInvoice web interface over the network to upload the malicious SVG file.
AuthenticationRequired
An administrator-level account is required; a low-privilege user cannot access the logo upload feature.
Victim interactionRequired
Victim users must load any page of the application in their browser for the injected JavaScript to execute, which happens automatically during normal authenticated use.
Attack complexityDetail
The exploit is reliable and condition-free once admin access is obtained; no race conditions or special environmental factors are needed.

Blast Radius

Reads authenticated session tokens from any user who loads a page, enabling account takeover across the entire user base.
Executes arbitrary JavaScript in the browser context of every authenticated user, allowing form submission, data exfiltration, or credential harvesting on their behalf.
Modifies page content as rendered in victims' browsers, enabling phishing overlays or redirection to attacker-controlled sites.

How HarborGuard Handles This

Available on HarborGuard: this CVE is monitored on every ingest cycle because no upstream fix currently exists. Images derived from SolidInvoice are flagged as affected, and findings are routed through each customer's compliance policy weighting. As compensating controls while awaiting a patch, customers can restrict network access to the SolidInvoice admin interface using Kubernetes NetworkPolicy or equivalent egress filtering, limit the number of accounts with administrator privileges to reduce the likelihood of the upload feature being reachable by a compromised credential, and consider feature-flag or WAF rules that block SVG uploads at the network edge. The moment SolidInvoice publishes a fix, HarborGuard will make a patched-image rebuild available; for customers with auto-remediation enabled, this triggers a rebuild, a regression-test run, and a PR opened against affected workloads automatically.

See how HarborGuard automates this

Affected packages

SolidInvoice / SolidInvoice
< 2.3.17

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N

References

Metrics

Get notified