70 matches found
CVE-2026-46622
SolidInvoice is an open-source invoicing platform. Prior to version 2.3.17, API tokens used to authenticate all REST API requests are stored as plaintext strings in the apitokens database table. Any attacker who obtains read access to the database — through SQL injection, a leaked backup, a...
CVE-2026-46489
SolidInvoice (open-source invoicing platform) contains CVE-2026-46489: before version 2.3.17, the logo upload feature accepts any file type without validation, allowing an authenticated administrator to upload an SVG containing embedded JavaScript. The script is base64-encoded and injected unesca...
EUVD-2026-36303
SolidInvoice is an open-source invoicing platform. Prior to version 2.3.17, the company logo upload feature accepts any file type without validation. An authenticated administrator can upload an SVG file containing embedded JavaScript. This script is base64-encoded and injected unescaped into eve...
EUVD-2026-36301
SolidInvoice is an open-source invoicing platform. Prior to version 2.3.17, API tokens used to authenticate all REST API requests are stored as plaintext strings in the apitokens database table. Any attacker who obtains read access to the database — through SQL injection, a leaked backup, a...
CVE-2026-46622 SolidInvoice: API tokens stored as plaintext in the database allowing full credential compromise on database breach
SolidInvoice is an open-source invoicing platform. Prior to version 2.3.17, API tokens used to authenticate all REST API requests are stored as plaintext strings in the apitokens database table. Any attacker who obtains read access to the database — through SQL injection, a leaked backup, a...
CVE-2026-46622 SolidInvoice: API tokens stored as plaintext in the database allowing full credential compromise on database breach
SolidInvoice is an open-source invoicing platform. Prior to version 2.3.17, API tokens used to authenticate all REST API requests are stored as plaintext strings in the apitokens database table. Any attacker who obtains read access to the database — through SQL injection, a leaked backup, a...
CVE-2026-46622
SolidInvoice before v2.3.17 stores API tokens in plaintext in the api_tokens database table. If an attacker gains read access to the database (e.g., via SQL injection, leaked backups, misconfigured replicas, or insider access), they can immediately obtain all API credentials for every user with n...
SolidInvoice 跨站脚本漏洞
SolidInvoice is an open-source invoice processing application developed by SolidInvoice. Versions of SolidInvoice prior to 2.3.17 contained a cross-site scripting vulnerability. This vulnerability stemmed from the company logo upload feature not verifying file types. As a result, authenticated...
SolidInvoice 安全漏洞
SolidInvoice is an open-source invoice processing application developed by SolidInvoice. Versions of SolidInvoice prior to 2.3.17 contained a security vulnerability. This vulnerability stemmed from API tokens being stored in the apitokens database table in plain text, which could allow attackers...
EUVD-2025-25248
Malicious code in bioql PyPI...
EUVD-2025-26219
Malicious code in bioql PyPI...
EUVD-2025-28820
Malicious code in bioql PyPI...
EUVD-2025-28821
Malicious code in bioql PyPI...
EUVD-2025-25250
Malicious code in bioql PyPI...
EUVD-2025-25252
Malicious code in bioql PyPI...
EUVD-2025-26221
Malicious code in bioql PyPI...
CVE-2025-55579
SolidInvoice version 2.3.7 is vulnerable to a Stored Cross-Site Scripting XSS issue in the Tax Rates functionality. The vulnerability is fixed in version 2.3.8...
CVE-2025-55580
SolidInvoice version 2.3.7 is vulnerable to a stored cross-site scripting XSS issue in the Clients module. An authenticated attacker can inject JavaScript that executes in other users' browsers when the Clients page is viewed. The vulnerability is fixed in version 2.3.8...
CVE-2025-55579
SolidInvoice version 2.3.7 is vulnerable to a Stored Cross-Site Scripting XSS issue in the Tax Rates functionality. The vulnerability is fixed in version 2.3.8...
CVE-2025-55580
SolidInvoice version 2.3.7 is vulnerable to a stored cross-site scripting XSS issue in the Clients module. An authenticated attacker can inject JavaScript that executes in other users' browsers when the Clients page is viewed. The vulnerability is fixed in version 2.3.8...