CVE-2025-55580

MEDIUM

SolidInvoice 2.3.7 - Authenticated Stored Cross-Site Scripting in Clients Module

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-55580. PoCs published by ddobrev25.

AI-analyzed exploit summary This repository contains a writeup for CVE-2025-55580, detailing a Stored Cross-Site Scripting (XSS) vulnerability in SolidInvoice version 2.3.7. The vulnerability allows an authenticated attacker to inject arbitrary JavaScript into the Client Module, which executes when other users view the Clients page.

Description

SolidInvoice version 2.3.7 is vulnerable to a stored cross-site scripting (XSS) issue in the Clients module. An authenticated attacker can inject JavaScript that executes in other users' browsers when the Clients page is viewed. The vulnerability is fixed in version 2.3.8.

Exploits (1)

nomisec WRITEUP
by ddobrev25 · poc
https://github.com/ddobrev25/CVE-2025-55580

This repository contains a writeup for CVE-2025-55580, detailing a Stored Cross-Site Scripting (XSS) vulnerability in SolidInvoice version 2.3.7. The vulnerability allows an authenticated attacker to inject arbitrary JavaScript into the Client Module, which executes when other users view the Clients page.

Classification
Writeup 100%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: SolidInvoice 2.3.7
Auth required
Prerequisites: Authenticated access to the SolidInvoice application
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Exploit, Third Party Advisory
https://github.com/ddobrev25/CVE-2025-55580

Scores

CVSS v3 5.4
EPSS 0.0024
EPSS Percentile 15.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (1)
solidinvoice/solidinvoice 2.3.7
Published Aug 29, 2025
Tracked Since Feb 18, 2026