674 matches found
CVE-2026-26378
Cross Site Scripting vulnerability in Koha 25.11 and before allows a remote attacker to execute arbitrary code via file upload function in Invoice features...
CVE-2026-42877
FacturaScripts is an open source accounting and invoicing software. In 2025.92 and earlier, a stored Cross-Site Scripting XSS vulnerability exists in the product search modal of sales Core/Lib/AjaxForms/SalesModalHTML.php and purchases documents Core/Lib/AjaxForms/PurchasesModalHTML.php. An...
CVE-2026-42877
FacturaScripts is an open source accounting and invoicing software. In 2025.92 and earlier, a stored Cross-Site Scripting XSS vulnerability exists in the product search modal of sales Core/Lib/AjaxForms/SalesModalHTML.php and purchases documents Core/Lib/AjaxForms/PurchasesModalHTML.php. An...
EUVD-2026-32630
FacturaScripts is an open source accounting and invoicing software. In 2025.92 and earlier, a stored Cross-Site Scripting XSS vulnerability exists in the product search modal of sales Core/Lib/AjaxForms/SalesModalHTML.php and purchases documents Core/Lib/AjaxForms/PurchasesModalHTML.php. An...
CVE-2026-42877
CVE-2026-42877 describes a stored XSS in FacturaScripts where the product variant field referencia is injected into an onclick attribute in SalesModalHTML.php and PurchasesModalHTML.php without proper escaping. The vulnerability allows an authenticated user with warehouse access to create a malic...
Banana RAT Malware in Fake Invoices Hits Customers at 16 Brazilian Banks
Banana RAT malware hidden in fake invoices and security update screens targets customers at 16 Brazilian banks stealing data with QR fraud...
CVE-2026-45714
CubeCart prior to version 6.7.0 is affected by an Authenticated Server-Side Template Injection (SSTI) in multiple modules (Email Templates, Invoices, Documents, Contact Forms). The issue arises from unsafely evaluating user-supplied input with the Smarty template engine without enabling Smarty Se...
CVE-2026-45714 CubeCart: Server-Side Template Injection (SSTI) in Smarty Templates leading to RCE
CubeCart is an ecommerce software solution. Prior to 6.7.0, an Authenticated Server-Side Template Injection SSTI vulnerability exists in multiple modules of CubeCart including Email Templates, Invoices, Documents, and Contact Forms. The application unsafely evaluates user-supplied input using the...
EUVD-2026-30176
CubeCart is an ecommerce software solution. Prior to 6.7.0, an Authenticated Server-Side Template Injection SSTI vulnerability exists in multiple modules of CubeCart including Email Templates, Invoices, Documents, and Contact Forms. The application unsafely evaluates user-supplied input using the...
CVE-2026-44298 Kimai: Arbitrary file read in invoice PDF renderer (admin)
Kimai is an open-source time tracking application. From version 2.32.0 to before version 2.56.0, users with the role System-Admin ROLESYSTEADMIN and the permission uploadinvoicetemplate can upload PDF invoice templates, which can call pdfContext.setOption'associatedfiles', ... inside the sandboxe...
PT-2026-38615
Summary A stored Cross-Site Scripting XSS vulnerability exists in the product search modal of sales and purchases documents. An authenticated user with access to the warehouse module can create a product with a malicious reference that executes arbitrary JavaScript in the browser of any other use...
CVE-2026-7107
A weakness has been identified in code-projects Invoice System in Laravel 1.0. The impacted element is an unknown function of the file /company. This manipulation of the argument logo causes unrestricted upload. The attack is possible to be carried out remotely. The exploit has been made availabl...
CVE-2026-40486
Kimai is an open-source time tracking application. In versions 2.52.0 and below, the User Preferences API endpoint PATCH /api/users/id/preferences applies submitted preference values without checking the isEnabled flag on preference objects. Although the hourlyrate and internalrate fields are...
WordPress WooCommerce PDF Invoices & Packing Slips plugin < 5.9.0 - PHP Object Injection vulnerability
PHP Object Injection vulnerability discovered by daroo in WordPress Plugin WooCommerce PDF Invoices & Packing Slips versions 5.9.0...
CVE-2026-5234 LatePoint <= 5.3.2 - Insecure Direct Object Reference to Unauthenticated Sensitive Financial Data Exposure via Sequential Invoice ID
The LatePoint plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.3.2. The vulnerability exists because the OsStripeConnectController::createpaymentintentfortransaction action is registered as a public action no authentication required an...
WordPress plugin LatePoint 安全漏洞
WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. There is...
CVE-2026-39562
Missing Authorization vulnerability in BoldGrid Client Invoicing by Sprout Invoices sprout-invoices allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Client Invoicing by Sprout Invoices: from n/a through = 20.8.10...
EUVD-2026-20205
Missing Authorization vulnerability in BoldGrid Client Invoicing by Sprout Invoices sprout-invoices allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Client Invoicing by Sprout Invoices: from n/a through = 20.8.10...
CVE-2026-39562
Missing Authorization vulnerability in BoldGrid Client Invoicing by Sprout Invoices sprout-invoices allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Client Invoicing by Sprout Invoices: from n/a through = 20.8.10...
CVE-2026-39562 WordPress Client Invoicing by Sprout Invoices plugin <= 20.8.10 - Broken Access Control vulnerability
Missing Authorization vulnerability in BoldGrid Client Invoicing by Sprout Invoices sprout-invoices allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Client Invoicing by Sprout Invoices: from n/a through = 20.8.10...