Search criteria
77 vulnerabilities found for InvoicePlane by InvoicePlane
CVE-2026-26281 (GCVE-0-2026-26281)
Vulnerability from nvd – Published: 2026-02-18 23:03 – Updated: 2026-02-19 16:47
VLAI?
Title
InvoicePlane has Stored Cross-Site Scripting (XSS) Issue in Sumex Invoice View
Summary
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A stored cross-site scripting (XSS) vulnerability in the Sumex invoice view allows an authenticated user with client and invoice management privileges to execute arbitrary JavaScript in the browser of any user viewing the invoice. This can lead to session hijacking, data theft, or other malicious actions on behalf of the victim user. Version 1.7.1 patches the issue.
Severity ?
4.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| InvoicePlane | InvoicePlane |
Affected:
= 1.7.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-26281",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-19T16:46:12.464734Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-19T16:47:43.663Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "InvoicePlane",
"vendor": "InvoicePlane",
"versions": [
{
"status": "affected",
"version": "= 1.7.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A stored cross-site scripting (XSS) vulnerability in the Sumex invoice view allows an authenticated user with client and invoice management privileges to execute arbitrary JavaScript in the browser of any user viewing the invoice. This can lead to session hijacking, data theft, or other malicious actions on behalf of the victim user. Version 1.7.1 patches the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-18T23:03:08.876Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/InvoicePlane/InvoicePlane/security/advisories/GHSA-ccpx-2v5c-cc24",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/InvoicePlane/InvoicePlane/security/advisories/GHSA-ccpx-2v5c-cc24"
},
{
"name": "https://github.com/InvoicePlane/InvoicePlane/commit/93622f2df88a860d89bfee56012cabb2942061d6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/InvoicePlane/InvoicePlane/commit/93622f2df88a860d89bfee56012cabb2942061d6"
}
],
"source": {
"advisory": "GHSA-ccpx-2v5c-cc24",
"discovery": "UNKNOWN"
},
"title": "InvoicePlane has Stored Cross-Site Scripting (XSS) Issue in Sumex Invoice View"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-26281",
"datePublished": "2026-02-18T23:03:08.876Z",
"dateReserved": "2026-02-12T17:10:53.414Z",
"dateUpdated": "2026-02-19T16:47:43.663Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-26270 (GCVE-0-2026-26270)
Vulnerability from nvd – Published: 2026-02-18 23:01 – Updated: 2026-02-19 16:42
VLAI?
Title
InvoicePlane has Stored Cross-Site Scripting Issue in Identifier Formatting
Summary
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability exists in InvoicePlane (latest version) that allows an authenticated user with permissions to manage Invoice Groups to inject malicious JavaScript into the "Identifier Format" field. This script executes when any user views the invoice list or the main dashboard. Version 1.7.1 patches the issue.
Severity ?
5.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| InvoicePlane | InvoicePlane |
Affected:
= 1.7.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-26270",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-19T16:41:16.920195Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-19T16:42:10.944Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "InvoicePlane",
"vendor": "InvoicePlane",
"versions": [
{
"status": "affected",
"version": "= 1.7.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability exists in InvoicePlane (latest version) that allows an authenticated user with permissions to manage Invoice Groups to inject malicious JavaScript into the \"Identifier Format\" field. This script executes when any user views the invoice list or the main dashboard. Version 1.7.1 patches the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-18T23:01:41.222Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/InvoicePlane/InvoicePlane/security/advisories/GHSA-432m-jv69-qp5j",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/InvoicePlane/InvoicePlane/security/advisories/GHSA-432m-jv69-qp5j"
},
{
"name": "https://github.com/InvoicePlane/InvoicePlane/commit/93622f2df88a860d89bfee56012cabb2942061d6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/InvoicePlane/InvoicePlane/commit/93622f2df88a860d89bfee56012cabb2942061d6"
}
],
"source": {
"advisory": "GHSA-432m-jv69-qp5j",
"discovery": "UNKNOWN"
},
"title": "InvoicePlane has Stored Cross-Site Scripting Issue in Identifier Formatting"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-26270",
"datePublished": "2026-02-18T23:01:41.222Z",
"dateReserved": "2026-02-12T17:10:53.413Z",
"dateUpdated": "2026-02-19T16:42:10.944Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25596 (GCVE-0-2026-25596)
Vulnerability from nvd – Published: 2026-02-18 22:59 – Updated: 2026-02-19 16:33
VLAI?
Title
InvoicePlane has Stored XSS via Product Unit Name in Invoice Item List
Summary
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability exists in InvoicePlane 1.7.0 via the Product Unit Name fields. An authenticated administrator can inject malicious JavaScript that executes when any administrator views an invoice containing a product with the malicious unit. Version 1.7.1 patches the issue.
Severity ?
4.8 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| InvoicePlane | InvoicePlane |
Affected:
<= 1.7.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25596",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-19T16:28:59.972711Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-19T16:33:52.856Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "InvoicePlane",
"vendor": "InvoicePlane",
"versions": [
{
"status": "affected",
"version": "\u003c= 1.7.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability exists in InvoicePlane 1.7.0 via the Product Unit Name fields. An authenticated administrator can inject malicious JavaScript that executes when any administrator views an invoice containing a product with the malicious unit. Version 1.7.1 patches the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-18T22:59:44.627Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/InvoicePlane/InvoicePlane/security/advisories/GHSA-3wjq-822q-98f4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/InvoicePlane/InvoicePlane/security/advisories/GHSA-3wjq-822q-98f4"
},
{
"name": "https://github.com/InvoicePlane/InvoicePlane/commit/93622f2df88a860d89bfee56012cabb2942061d6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/InvoicePlane/InvoicePlane/commit/93622f2df88a860d89bfee56012cabb2942061d6"
}
],
"source": {
"advisory": "GHSA-3wjq-822q-98f4",
"discovery": "UNKNOWN"
},
"title": "InvoicePlane has Stored XSS via Product Unit Name in Invoice Item List"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25596",
"datePublished": "2026-02-18T22:59:44.627Z",
"dateReserved": "2026-02-03T01:02:46.717Z",
"dateUpdated": "2026-02-19T16:33:52.856Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25548 (GCVE-0-2026-25548)
Vulnerability from nvd – Published: 2026-02-18 22:49 – Updated: 2026-02-19 17:46
VLAI?
Title
InvoicePlane Vulnerable to Remote Code Execution via Local File Inclusion and Log Poisoning
Summary
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A critical Remote Code Execution (RCE) vulnerability exists in InvoicePlane 1.7.0 through a chained Local File Inclusion (LFI) and Log Poisoning attack. An authenticated administrator can execute arbitrary system commands on the server by manipulating the `public_invoice_template` setting to include poisoned log files containing PHP code. Version 1.7.1 patches the issue.
Severity ?
9.1 (Critical)
CWE
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| InvoicePlane | InvoicePlane |
Affected:
<= 1.7.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25548",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-19T17:07:35.625979Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-19T17:46:01.656Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "InvoicePlane",
"vendor": "InvoicePlane",
"versions": [
{
"status": "affected",
"version": "\u003c= 1.7.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A critical Remote Code Execution (RCE) vulnerability exists in InvoicePlane 1.7.0 through a chained Local File Inclusion (LFI) and Log Poisoning attack. An authenticated administrator can execute arbitrary system commands on the server by manipulating the `public_invoice_template` setting to include poisoned log files containing PHP code. Version 1.7.1 patches the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-98",
"description": "CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-117",
"description": "CWE-117: Improper Output Neutralization for Logs",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-18T22:49:15.235Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/InvoicePlane/InvoicePlane/security/advisories/GHSA-g6rw-m9mf-33ch",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/InvoicePlane/InvoicePlane/security/advisories/GHSA-g6rw-m9mf-33ch"
},
{
"name": "https://github.com/InvoicePlane/InvoicePlane/commit/93622f2df88a860d89bfee56012cabb2942061d6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/InvoicePlane/InvoicePlane/commit/93622f2df88a860d89bfee56012cabb2942061d6"
}
],
"source": {
"advisory": "GHSA-g6rw-m9mf-33ch",
"discovery": "UNKNOWN"
},
"title": "InvoicePlane Vulnerable to Remote Code Execution via Local File Inclusion and Log Poisoning"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25548",
"datePublished": "2026-02-18T22:49:15.235Z",
"dateReserved": "2026-02-02T19:59:47.376Z",
"dateUpdated": "2026-02-19T17:46:01.656Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25595 (GCVE-0-2026-25595)
Vulnerability from nvd – Published: 2026-02-18 22:52 – Updated: 2026-02-19 17:45
VLAI?
Title
InvoicePlane has Stored XSS via Invoice Number in Invoice View and Dashboard
Summary
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability exists in InvoicePlane 1.7.0 via the Invoice Number field. An authenticated administrator can inject malicious JavaScript that executes when any administrator views the affected invoice or visits the dashboard. Version 1.7.1 patches the issue.
Severity ?
4.8 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| InvoicePlane | InvoicePlane |
Affected:
<= 1.7.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25595",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-19T17:05:05.872020Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-19T17:45:39.099Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "InvoicePlane",
"vendor": "InvoicePlane",
"versions": [
{
"status": "affected",
"version": "\u003c= 1.7.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability exists in InvoicePlane 1.7.0 via the Invoice Number field. An authenticated administrator can inject malicious JavaScript that executes when any administrator views the affected invoice or visits the dashboard. Version 1.7.1 patches the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-18T22:52:27.047Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/InvoicePlane/InvoicePlane/security/advisories/GHSA-xxvr-2564-6jg6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/InvoicePlane/InvoicePlane/security/advisories/GHSA-xxvr-2564-6jg6"
},
{
"name": "https://github.com/InvoicePlane/InvoicePlane/commit/93622f2df88a860d89bfee56012cabb2942061d6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/InvoicePlane/InvoicePlane/commit/93622f2df88a860d89bfee56012cabb2942061d6"
}
],
"source": {
"advisory": "GHSA-xxvr-2564-6jg6",
"discovery": "UNKNOWN"
},
"title": "InvoicePlane has Stored XSS via Invoice Number in Invoice View and Dashboard"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25595",
"datePublished": "2026-02-18T22:52:27.047Z",
"dateReserved": "2026-02-03T01:02:46.717Z",
"dateUpdated": "2026-02-19T17:45:39.099Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25594 (GCVE-0-2026-25594)
Vulnerability from nvd – Published: 2026-02-18 22:50 – Updated: 2026-02-19 17:45
VLAI?
Title
InvoicePlane has Stored XSS via Family Name in Product Form
Summary
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability exists in InvoicePlane 1.7.0 via the Family Name field. The `family_name` value is rendered without HTML encoding inside the family dropdown on the product form. When an administrator creates a family with a malicious name, the payload executes in the browser of any administrator who visits the product form. Version 1.7.1 patches the issue.
Severity ?
4.8 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| InvoicePlane | InvoicePlane |
Affected:
<= 1.7.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25594",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-19T17:05:08.835937Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-19T17:45:49.423Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "InvoicePlane",
"vendor": "InvoicePlane",
"versions": [
{
"status": "affected",
"version": "\u003c= 1.7.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability exists in InvoicePlane 1.7.0 via the Family Name field. The `family_name` value is rendered without HTML encoding inside the family dropdown on the product form. When an administrator creates a family with a malicious name, the payload executes in the browser of any administrator who visits the product form. Version 1.7.1 patches the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-18T22:50:45.523Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/InvoicePlane/InvoicePlane/security/advisories/GHSA-wrr7-2f27-8h94",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/InvoicePlane/InvoicePlane/security/advisories/GHSA-wrr7-2f27-8h94"
},
{
"name": "https://github.com/InvoicePlane/InvoicePlane/commit/93622f2df88a860d89bfee56012cabb2942061d6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/InvoicePlane/InvoicePlane/commit/93622f2df88a860d89bfee56012cabb2942061d6"
}
],
"source": {
"advisory": "GHSA-wrr7-2f27-8h94",
"discovery": "UNKNOWN"
},
"title": "InvoicePlane has Stored XSS via Family Name in Product Form"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25594",
"datePublished": "2026-02-18T22:50:45.523Z",
"dateReserved": "2026-02-03T01:02:46.716Z",
"dateUpdated": "2026-02-19T17:45:49.423Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-24745 (GCVE-0-2026-24745)
Vulnerability from nvd – Published: 2026-02-18 22:47 – Updated: 2026-02-19 16:14
VLAI?
Title
InvoicePlane has a Stored Cross-Site Scripting (XSS) issue
Summary
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability occurs in the upload Login Logo functions of InvoicePlane version 1.7.0. In the Upload Login Logo, the application allows uploading svg files. Although administrator privileges are required to exploit it, this is still considered a critical vulnerability as it can cause actions such as unauthorized modification of application data, creation of persistent backdoors through stored malicious scripts, and full compromise of the application's integrity. Version 1.7.1 patches the issue.
Severity ?
5.7 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| InvoicePlane | InvoicePlane |
Affected:
= 1.7.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-24745",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-19T16:13:01.232137Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-19T16:14:50.756Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "InvoicePlane",
"vendor": "InvoicePlane",
"versions": [
{
"status": "affected",
"version": "= 1.7.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability occurs in the upload Login Logo functions of InvoicePlane version 1.7.0. In the Upload Login Logo, the application allows uploading svg files. Although administrator privileges are required to exploit it, this is still considered a critical vulnerability as it can cause actions such as unauthorized modification of application data, creation of persistent backdoors through stored malicious scripts, and full compromise of the application\u0027s integrity. Version 1.7.1 patches the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-18T22:47:19.717Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/InvoicePlane/InvoicePlane/security/advisories/GHSA-r9rq-f946-6x54",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/InvoicePlane/InvoicePlane/security/advisories/GHSA-r9rq-f946-6x54"
},
{
"name": "https://github.com/InvoicePlane/InvoicePlane/commit/93622f2df88a860d89bfee56012cabb2942061d6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/InvoicePlane/InvoicePlane/commit/93622f2df88a860d89bfee56012cabb2942061d6"
}
],
"source": {
"advisory": "GHSA-r9rq-f946-6x54",
"discovery": "UNKNOWN"
},
"title": "InvoicePlane has a Stored Cross-Site Scripting (XSS) issue"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-24745",
"datePublished": "2026-02-18T22:47:19.717Z",
"dateReserved": "2026-01-26T19:06:16.059Z",
"dateUpdated": "2026-02-19T16:14:50.756Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-24744 (GCVE-0-2026-24744)
Vulnerability from nvd – Published: 2026-02-18 21:01 – Updated: 2026-02-20 19:35
VLAI?
Title
InvoicePlane has a Stored Cross-Site Scripting (XSS) issue
Summary
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability occurs in the Edit Invoices functions of InvoicePlane version 1.7.0. When editing invoices, the application does not validate user input at the `invoice_number` parameter. Although administrator privileges are required to exploit it, this is still considered a critical vulnerability as it can cause actions such as unauthorized modification of application data, creation of persistent backdoors through stored malicious scripts, and full compromise of the application's integrity. Version 1.7.1 patches the issue.
Severity ?
5.7 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| InvoicePlane | InvoicePlane |
Affected:
= 1.7.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-24744",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-20T19:35:12.616197Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-20T19:35:24.797Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "InvoicePlane",
"vendor": "InvoicePlane",
"versions": [
{
"status": "affected",
"version": "= 1.7.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability occurs in the Edit Invoices functions of InvoicePlane version 1.7.0. When editing invoices, the application does not validate user input at the `invoice_number` parameter. Although administrator privileges are required to exploit it, this is still considered a critical vulnerability as it can cause actions such as unauthorized modification of application data, creation of persistent backdoors through stored malicious scripts, and full compromise of the application\u0027s integrity. Version 1.7.1 patches the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-18T21:01:27.566Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/InvoicePlane/InvoicePlane/security/advisories/GHSA-5mxx-553h-m62w",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/InvoicePlane/InvoicePlane/security/advisories/GHSA-5mxx-553h-m62w"
},
{
"name": "https://github.com/InvoicePlane/InvoicePlane/commit/93622f2df88a860d89bfee56012cabb2942061d6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/InvoicePlane/InvoicePlane/commit/93622f2df88a860d89bfee56012cabb2942061d6"
}
],
"source": {
"advisory": "GHSA-5mxx-553h-m62w",
"discovery": "UNKNOWN"
},
"title": "InvoicePlane has a Stored Cross-Site Scripting (XSS) issue"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-24744",
"datePublished": "2026-02-18T21:01:27.566Z",
"dateReserved": "2026-01-26T19:06:16.059Z",
"dateUpdated": "2026-02-20T19:35:24.797Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-24743 (GCVE-0-2026-24743)
Vulnerability from nvd – Published: 2026-02-18 20:59 – Updated: 2026-02-19 14:58
VLAI?
Title
InvoicePlane has a Stored Cross-Site Scripting (XSS) issue
Summary
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability occurs in the upload Invoice Logo functions of InvoicePlane version 1.7.0. The Upload Invoice Logo function allows the application to upload svg files. Although administrator privileges are required to exploit it, this is still considered a critical vulnerability as it can cause actions such as unauthorized modification of application data, creation of persistent backdoors through stored malicious scripts, and full compromise of the application's integrity. Version 1.7.1 patches the issue.
Severity ?
5.7 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| InvoicePlane | InvoicePlane |
Affected:
= 1.7.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-24743",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-19T14:58:04.399743Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-19T14:58:46.031Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "InvoicePlane",
"vendor": "InvoicePlane",
"versions": [
{
"status": "affected",
"version": "= 1.7.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability occurs in the upload Invoice Logo functions of InvoicePlane version 1.7.0. The Upload Invoice Logo function allows the application to upload svg files. Although administrator privileges are required to exploit it, this is still considered a critical vulnerability as it can cause actions such as unauthorized modification of application data, creation of persistent backdoors through stored malicious scripts, and full compromise of the application\u0027s integrity. Version 1.7.1 patches the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-18T21:02:03.860Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/InvoicePlane/InvoicePlane/security/advisories/GHSA-485m-4725-2428",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/InvoicePlane/InvoicePlane/security/advisories/GHSA-485m-4725-2428"
},
{
"name": "https://github.com/InvoicePlane/InvoicePlane/commit/93622f2df88a860d89bfee56012cabb2942061d6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/InvoicePlane/InvoicePlane/commit/93622f2df88a860d89bfee56012cabb2942061d6"
}
],
"source": {
"advisory": "GHSA-485m-4725-2428",
"discovery": "UNKNOWN"
},
"title": "InvoicePlane has a Stored Cross-Site Scripting (XSS) issue"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-24743",
"datePublished": "2026-02-18T20:59:16.103Z",
"dateReserved": "2026-01-26T19:06:16.059Z",
"dateUpdated": "2026-02-19T14:58:46.031Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-24746 (GCVE-0-2026-24746)
Vulnerability from nvd – Published: 2026-02-18 20:51 – Updated: 2026-02-18 21:23
VLAI?
Title
InvoicePlane has a Stored Cross-Site Scripting (XSS) issue
Summary
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability occurs in the Edit Quotes functions of InvoicePlane version 1.7.0. In the Editing Quotes function, the application does not validate user input at the quote_number parameter. Although administrator privileges are required to exploit it, this is still considered a critical vulnerability as it can cause actions such as unauthorized modification of application data, creation of persistent backdoors through stored malicious scripts, and full compromise of the application's integrity. Version 1.7.1 patches the issue.
Severity ?
5.7 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| InvoicePlane | InvoicePlane |
Affected:
= 1.7.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-24746",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-18T21:21:54.563121Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-18T21:23:14.039Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "InvoicePlane",
"vendor": "InvoicePlane",
"versions": [
{
"status": "affected",
"version": "= 1.7.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability occurs in the Edit Quotes functions of InvoicePlane version 1.7.0. In the Editing Quotes function, the application does not validate user input at the quote_number parameter. Although administrator privileges are required to exploit it, this is still considered a critical vulnerability as it can cause actions such as unauthorized modification of application data, creation of persistent backdoors through stored malicious scripts, and full compromise of the application\u0027s integrity. Version 1.7.1 patches the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-18T21:04:32.752Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/InvoicePlane/InvoicePlane/security/advisories/GHSA-73x8-gr6v-vjvj",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/InvoicePlane/InvoicePlane/security/advisories/GHSA-73x8-gr6v-vjvj"
},
{
"name": "https://github.com/InvoicePlane/InvoicePlane/commit/93622f2df88a860d89bfee56012cabb2942061d6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/InvoicePlane/InvoicePlane/commit/93622f2df88a860d89bfee56012cabb2942061d6"
}
],
"source": {
"advisory": "GHSA-73x8-gr6v-vjvj",
"discovery": "UNKNOWN"
},
"title": "InvoicePlane has a Stored Cross-Site Scripting (XSS) issue"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-24746",
"datePublished": "2026-02-18T20:51:20.813Z",
"dateReserved": "2026-01-26T19:06:16.059Z",
"dateUpdated": "2026-02-18T21:23:14.039Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23491 (GCVE-0-2026-23491)
Vulnerability from nvd – Published: 2026-02-18 19:52 – Updated: 2026-02-18 20:50
VLAI?
Title
InvoicePlane has Unauthenticated Path Traversal in Guest Controller
Summary
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A path traversal vulnerability exists in the `get_file` method of the `Guest` module's `Get` controller in InvoicePlane up to and including through 1.6.3. The vulnerability allows unauthenticated attackers to read arbitrary files on the server by manipulating the input filename. This leads to the disclosure of sensitive information, including configuration files with database credentials. Version 1.6.4 fixes the issue.
Severity ?
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| InvoicePlane | InvoicePlane |
Affected:
< 1.6.4
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23491",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-18T20:09:06.932604Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-18T20:09:15.623Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "InvoicePlane",
"vendor": "InvoicePlane",
"versions": [
{
"status": "affected",
"version": "\u003c 1.6.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A path traversal vulnerability exists in the `get_file` method of the `Guest` module\u0027s `Get` controller in InvoicePlane up to and including through 1.6.3. The vulnerability allows unauthenticated attackers to read arbitrary files on the server by manipulating the input filename. This leads to the disclosure of sensitive information, including configuration files with database credentials. Version 1.6.4 fixes the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-18T20:50:36.374Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/InvoicePlane/InvoicePlane/security/advisories/GHSA-88gq-mv54-v3fc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/InvoicePlane/InvoicePlane/security/advisories/GHSA-88gq-mv54-v3fc"
},
{
"name": "https://github.com/InvoicePlane/InvoicePlane/commit/add8bb798dde621f886823065ef1841986543c69",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/InvoicePlane/InvoicePlane/commit/add8bb798dde621f886823065ef1841986543c69"
}
],
"source": {
"advisory": "GHSA-88gq-mv54-v3fc",
"discovery": "UNKNOWN"
},
"title": "InvoicePlane has Unauthenticated Path Traversal in Guest Controller"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-23491",
"datePublished": "2026-02-18T19:52:26.304Z",
"dateReserved": "2026-01-13T15:47:41.628Z",
"dateUpdated": "2026-02-18T20:50:36.374Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-67082 (GCVE-0-2025-67082)
Vulnerability from nvd – Published: 2026-01-15 00:00 – Updated: 2026-01-15 15:52
VLAI?
Summary
An SQL injection vulnerability in InvoicePlane through 1.6.3 has been identified in "maxQuantity" and "minQuantity" parameters when generating a report. An authenticated attacker can exploit this issue via error-based SQL injection, allowing for the extraction of arbitrary data from the database. The vulnerability arises from insufficient sanitizing of single quotes.
Severity ?
6.5 (Medium)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-67082",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-15T15:50:48.854309Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-15T15:52:21.994Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An SQL injection vulnerability in InvoicePlane through 1.6.3 has been identified in \"maxQuantity\" and \"minQuantity\" parameters when generating a report. An authenticated attacker can exploit this issue via error-based SQL injection, allowing for the extraction of arbitrary data from the database. The vulnerability arises from insufficient sanitizing of single quotes."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-15T15:02:55.575Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/InvoicePlane/InvoicePlane"
},
{
"url": "https://www.helx.io/blog/advisory-invoice-plane/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-67082",
"datePublished": "2026-01-15T00:00:00.000Z",
"dateReserved": "2025-12-08T00:00:00.000Z",
"dateUpdated": "2026-01-15T15:52:21.994Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-67084 (GCVE-0-2025-67084)
Vulnerability from nvd – Published: 2026-01-15 00:00 – Updated: 2026-01-22 02:57
VLAI?
Summary
File upload vulnerability in InvoicePlane through 1.6.3 allows authenticated attackers to upload arbitrary PHP files into attachments, which can later be executed remotely, leading to Remote Code Execution (RCE).
Severity ?
9.9 (Critical)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-67084",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-22T02:57:09.464121Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-616",
"description": "CWE-616 Incomplete Identification of Uploaded File Variables (PHP)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-22T02:57:13.549Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "File upload vulnerability in InvoicePlane through 1.6.3 allows authenticated attackers to upload arbitrary PHP files into attachments, which can later be executed remotely, leading to Remote Code Execution (RCE)."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-15T15:08:13.105Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/InvoicePlane/InvoicePlane"
},
{
"url": "https://www.helx.io/blog/advisory-invoice-plane/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-67084",
"datePublished": "2026-01-15T00:00:00.000Z",
"dateReserved": "2025-12-08T00:00:00.000Z",
"dateUpdated": "2026-01-22T02:57:13.549Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-26281 (GCVE-0-2026-26281)
Vulnerability from cvelistv5 – Published: 2026-02-18 23:03 – Updated: 2026-02-19 16:47
VLAI?
Title
InvoicePlane has Stored Cross-Site Scripting (XSS) Issue in Sumex Invoice View
Summary
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A stored cross-site scripting (XSS) vulnerability in the Sumex invoice view allows an authenticated user with client and invoice management privileges to execute arbitrary JavaScript in the browser of any user viewing the invoice. This can lead to session hijacking, data theft, or other malicious actions on behalf of the victim user. Version 1.7.1 patches the issue.
Severity ?
4.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| InvoicePlane | InvoicePlane |
Affected:
= 1.7.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-26281",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-19T16:46:12.464734Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-19T16:47:43.663Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "InvoicePlane",
"vendor": "InvoicePlane",
"versions": [
{
"status": "affected",
"version": "= 1.7.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A stored cross-site scripting (XSS) vulnerability in the Sumex invoice view allows an authenticated user with client and invoice management privileges to execute arbitrary JavaScript in the browser of any user viewing the invoice. This can lead to session hijacking, data theft, or other malicious actions on behalf of the victim user. Version 1.7.1 patches the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-18T23:03:08.876Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/InvoicePlane/InvoicePlane/security/advisories/GHSA-ccpx-2v5c-cc24",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/InvoicePlane/InvoicePlane/security/advisories/GHSA-ccpx-2v5c-cc24"
},
{
"name": "https://github.com/InvoicePlane/InvoicePlane/commit/93622f2df88a860d89bfee56012cabb2942061d6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/InvoicePlane/InvoicePlane/commit/93622f2df88a860d89bfee56012cabb2942061d6"
}
],
"source": {
"advisory": "GHSA-ccpx-2v5c-cc24",
"discovery": "UNKNOWN"
},
"title": "InvoicePlane has Stored Cross-Site Scripting (XSS) Issue in Sumex Invoice View"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-26281",
"datePublished": "2026-02-18T23:03:08.876Z",
"dateReserved": "2026-02-12T17:10:53.414Z",
"dateUpdated": "2026-02-19T16:47:43.663Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-26270 (GCVE-0-2026-26270)
Vulnerability from cvelistv5 – Published: 2026-02-18 23:01 – Updated: 2026-02-19 16:42
VLAI?
Title
InvoicePlane has Stored Cross-Site Scripting Issue in Identifier Formatting
Summary
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability exists in InvoicePlane (latest version) that allows an authenticated user with permissions to manage Invoice Groups to inject malicious JavaScript into the "Identifier Format" field. This script executes when any user views the invoice list or the main dashboard. Version 1.7.1 patches the issue.
Severity ?
5.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| InvoicePlane | InvoicePlane |
Affected:
= 1.7.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-26270",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-19T16:41:16.920195Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-19T16:42:10.944Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "InvoicePlane",
"vendor": "InvoicePlane",
"versions": [
{
"status": "affected",
"version": "= 1.7.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability exists in InvoicePlane (latest version) that allows an authenticated user with permissions to manage Invoice Groups to inject malicious JavaScript into the \"Identifier Format\" field. This script executes when any user views the invoice list or the main dashboard. Version 1.7.1 patches the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-18T23:01:41.222Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/InvoicePlane/InvoicePlane/security/advisories/GHSA-432m-jv69-qp5j",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/InvoicePlane/InvoicePlane/security/advisories/GHSA-432m-jv69-qp5j"
},
{
"name": "https://github.com/InvoicePlane/InvoicePlane/commit/93622f2df88a860d89bfee56012cabb2942061d6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/InvoicePlane/InvoicePlane/commit/93622f2df88a860d89bfee56012cabb2942061d6"
}
],
"source": {
"advisory": "GHSA-432m-jv69-qp5j",
"discovery": "UNKNOWN"
},
"title": "InvoicePlane has Stored Cross-Site Scripting Issue in Identifier Formatting"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-26270",
"datePublished": "2026-02-18T23:01:41.222Z",
"dateReserved": "2026-02-12T17:10:53.413Z",
"dateUpdated": "2026-02-19T16:42:10.944Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25596 (GCVE-0-2026-25596)
Vulnerability from cvelistv5 – Published: 2026-02-18 22:59 – Updated: 2026-02-19 16:33
VLAI?
Title
InvoicePlane has Stored XSS via Product Unit Name in Invoice Item List
Summary
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability exists in InvoicePlane 1.7.0 via the Product Unit Name fields. An authenticated administrator can inject malicious JavaScript that executes when any administrator views an invoice containing a product with the malicious unit. Version 1.7.1 patches the issue.
Severity ?
4.8 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| InvoicePlane | InvoicePlane |
Affected:
<= 1.7.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25596",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-19T16:28:59.972711Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-19T16:33:52.856Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "InvoicePlane",
"vendor": "InvoicePlane",
"versions": [
{
"status": "affected",
"version": "\u003c= 1.7.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability exists in InvoicePlane 1.7.0 via the Product Unit Name fields. An authenticated administrator can inject malicious JavaScript that executes when any administrator views an invoice containing a product with the malicious unit. Version 1.7.1 patches the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-18T22:59:44.627Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/InvoicePlane/InvoicePlane/security/advisories/GHSA-3wjq-822q-98f4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/InvoicePlane/InvoicePlane/security/advisories/GHSA-3wjq-822q-98f4"
},
{
"name": "https://github.com/InvoicePlane/InvoicePlane/commit/93622f2df88a860d89bfee56012cabb2942061d6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/InvoicePlane/InvoicePlane/commit/93622f2df88a860d89bfee56012cabb2942061d6"
}
],
"source": {
"advisory": "GHSA-3wjq-822q-98f4",
"discovery": "UNKNOWN"
},
"title": "InvoicePlane has Stored XSS via Product Unit Name in Invoice Item List"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25596",
"datePublished": "2026-02-18T22:59:44.627Z",
"dateReserved": "2026-02-03T01:02:46.717Z",
"dateUpdated": "2026-02-19T16:33:52.856Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25595 (GCVE-0-2026-25595)
Vulnerability from cvelistv5 – Published: 2026-02-18 22:52 – Updated: 2026-02-19 17:45
VLAI?
Title
InvoicePlane has Stored XSS via Invoice Number in Invoice View and Dashboard
Summary
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability exists in InvoicePlane 1.7.0 via the Invoice Number field. An authenticated administrator can inject malicious JavaScript that executes when any administrator views the affected invoice or visits the dashboard. Version 1.7.1 patches the issue.
Severity ?
4.8 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| InvoicePlane | InvoicePlane |
Affected:
<= 1.7.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25595",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-19T17:05:05.872020Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-19T17:45:39.099Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "InvoicePlane",
"vendor": "InvoicePlane",
"versions": [
{
"status": "affected",
"version": "\u003c= 1.7.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability exists in InvoicePlane 1.7.0 via the Invoice Number field. An authenticated administrator can inject malicious JavaScript that executes when any administrator views the affected invoice or visits the dashboard. Version 1.7.1 patches the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-18T22:52:27.047Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/InvoicePlane/InvoicePlane/security/advisories/GHSA-xxvr-2564-6jg6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/InvoicePlane/InvoicePlane/security/advisories/GHSA-xxvr-2564-6jg6"
},
{
"name": "https://github.com/InvoicePlane/InvoicePlane/commit/93622f2df88a860d89bfee56012cabb2942061d6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/InvoicePlane/InvoicePlane/commit/93622f2df88a860d89bfee56012cabb2942061d6"
}
],
"source": {
"advisory": "GHSA-xxvr-2564-6jg6",
"discovery": "UNKNOWN"
},
"title": "InvoicePlane has Stored XSS via Invoice Number in Invoice View and Dashboard"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25595",
"datePublished": "2026-02-18T22:52:27.047Z",
"dateReserved": "2026-02-03T01:02:46.717Z",
"dateUpdated": "2026-02-19T17:45:39.099Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25594 (GCVE-0-2026-25594)
Vulnerability from cvelistv5 – Published: 2026-02-18 22:50 – Updated: 2026-02-19 17:45
VLAI?
Title
InvoicePlane has Stored XSS via Family Name in Product Form
Summary
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability exists in InvoicePlane 1.7.0 via the Family Name field. The `family_name` value is rendered without HTML encoding inside the family dropdown on the product form. When an administrator creates a family with a malicious name, the payload executes in the browser of any administrator who visits the product form. Version 1.7.1 patches the issue.
Severity ?
4.8 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| InvoicePlane | InvoicePlane |
Affected:
<= 1.7.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25594",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-19T17:05:08.835937Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-19T17:45:49.423Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "InvoicePlane",
"vendor": "InvoicePlane",
"versions": [
{
"status": "affected",
"version": "\u003c= 1.7.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability exists in InvoicePlane 1.7.0 via the Family Name field. The `family_name` value is rendered without HTML encoding inside the family dropdown on the product form. When an administrator creates a family with a malicious name, the payload executes in the browser of any administrator who visits the product form. Version 1.7.1 patches the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-18T22:50:45.523Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/InvoicePlane/InvoicePlane/security/advisories/GHSA-wrr7-2f27-8h94",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/InvoicePlane/InvoicePlane/security/advisories/GHSA-wrr7-2f27-8h94"
},
{
"name": "https://github.com/InvoicePlane/InvoicePlane/commit/93622f2df88a860d89bfee56012cabb2942061d6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/InvoicePlane/InvoicePlane/commit/93622f2df88a860d89bfee56012cabb2942061d6"
}
],
"source": {
"advisory": "GHSA-wrr7-2f27-8h94",
"discovery": "UNKNOWN"
},
"title": "InvoicePlane has Stored XSS via Family Name in Product Form"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25594",
"datePublished": "2026-02-18T22:50:45.523Z",
"dateReserved": "2026-02-03T01:02:46.716Z",
"dateUpdated": "2026-02-19T17:45:49.423Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25548 (GCVE-0-2026-25548)
Vulnerability from cvelistv5 – Published: 2026-02-18 22:49 – Updated: 2026-02-19 17:46
VLAI?
Title
InvoicePlane Vulnerable to Remote Code Execution via Local File Inclusion and Log Poisoning
Summary
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A critical Remote Code Execution (RCE) vulnerability exists in InvoicePlane 1.7.0 through a chained Local File Inclusion (LFI) and Log Poisoning attack. An authenticated administrator can execute arbitrary system commands on the server by manipulating the `public_invoice_template` setting to include poisoned log files containing PHP code. Version 1.7.1 patches the issue.
Severity ?
9.1 (Critical)
CWE
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| InvoicePlane | InvoicePlane |
Affected:
<= 1.7.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25548",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-19T17:07:35.625979Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-19T17:46:01.656Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "InvoicePlane",
"vendor": "InvoicePlane",
"versions": [
{
"status": "affected",
"version": "\u003c= 1.7.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A critical Remote Code Execution (RCE) vulnerability exists in InvoicePlane 1.7.0 through a chained Local File Inclusion (LFI) and Log Poisoning attack. An authenticated administrator can execute arbitrary system commands on the server by manipulating the `public_invoice_template` setting to include poisoned log files containing PHP code. Version 1.7.1 patches the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-98",
"description": "CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-117",
"description": "CWE-117: Improper Output Neutralization for Logs",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-18T22:49:15.235Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/InvoicePlane/InvoicePlane/security/advisories/GHSA-g6rw-m9mf-33ch",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/InvoicePlane/InvoicePlane/security/advisories/GHSA-g6rw-m9mf-33ch"
},
{
"name": "https://github.com/InvoicePlane/InvoicePlane/commit/93622f2df88a860d89bfee56012cabb2942061d6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/InvoicePlane/InvoicePlane/commit/93622f2df88a860d89bfee56012cabb2942061d6"
}
],
"source": {
"advisory": "GHSA-g6rw-m9mf-33ch",
"discovery": "UNKNOWN"
},
"title": "InvoicePlane Vulnerable to Remote Code Execution via Local File Inclusion and Log Poisoning"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25548",
"datePublished": "2026-02-18T22:49:15.235Z",
"dateReserved": "2026-02-02T19:59:47.376Z",
"dateUpdated": "2026-02-19T17:46:01.656Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-24745 (GCVE-0-2026-24745)
Vulnerability from cvelistv5 – Published: 2026-02-18 22:47 – Updated: 2026-02-19 16:14
VLAI?
Title
InvoicePlane has a Stored Cross-Site Scripting (XSS) issue
Summary
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability occurs in the upload Login Logo functions of InvoicePlane version 1.7.0. In the Upload Login Logo, the application allows uploading svg files. Although administrator privileges are required to exploit it, this is still considered a critical vulnerability as it can cause actions such as unauthorized modification of application data, creation of persistent backdoors through stored malicious scripts, and full compromise of the application's integrity. Version 1.7.1 patches the issue.
Severity ?
5.7 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| InvoicePlane | InvoicePlane |
Affected:
= 1.7.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-24745",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-19T16:13:01.232137Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-19T16:14:50.756Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "InvoicePlane",
"vendor": "InvoicePlane",
"versions": [
{
"status": "affected",
"version": "= 1.7.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability occurs in the upload Login Logo functions of InvoicePlane version 1.7.0. In the Upload Login Logo, the application allows uploading svg files. Although administrator privileges are required to exploit it, this is still considered a critical vulnerability as it can cause actions such as unauthorized modification of application data, creation of persistent backdoors through stored malicious scripts, and full compromise of the application\u0027s integrity. Version 1.7.1 patches the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-18T22:47:19.717Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/InvoicePlane/InvoicePlane/security/advisories/GHSA-r9rq-f946-6x54",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/InvoicePlane/InvoicePlane/security/advisories/GHSA-r9rq-f946-6x54"
},
{
"name": "https://github.com/InvoicePlane/InvoicePlane/commit/93622f2df88a860d89bfee56012cabb2942061d6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/InvoicePlane/InvoicePlane/commit/93622f2df88a860d89bfee56012cabb2942061d6"
}
],
"source": {
"advisory": "GHSA-r9rq-f946-6x54",
"discovery": "UNKNOWN"
},
"title": "InvoicePlane has a Stored Cross-Site Scripting (XSS) issue"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-24745",
"datePublished": "2026-02-18T22:47:19.717Z",
"dateReserved": "2026-01-26T19:06:16.059Z",
"dateUpdated": "2026-02-19T16:14:50.756Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-24744 (GCVE-0-2026-24744)
Vulnerability from cvelistv5 – Published: 2026-02-18 21:01 – Updated: 2026-02-20 19:35
VLAI?
Title
InvoicePlane has a Stored Cross-Site Scripting (XSS) issue
Summary
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability occurs in the Edit Invoices functions of InvoicePlane version 1.7.0. When editing invoices, the application does not validate user input at the `invoice_number` parameter. Although administrator privileges are required to exploit it, this is still considered a critical vulnerability as it can cause actions such as unauthorized modification of application data, creation of persistent backdoors through stored malicious scripts, and full compromise of the application's integrity. Version 1.7.1 patches the issue.
Severity ?
5.7 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| InvoicePlane | InvoicePlane |
Affected:
= 1.7.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-24744",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-20T19:35:12.616197Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-20T19:35:24.797Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "InvoicePlane",
"vendor": "InvoicePlane",
"versions": [
{
"status": "affected",
"version": "= 1.7.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability occurs in the Edit Invoices functions of InvoicePlane version 1.7.0. When editing invoices, the application does not validate user input at the `invoice_number` parameter. Although administrator privileges are required to exploit it, this is still considered a critical vulnerability as it can cause actions such as unauthorized modification of application data, creation of persistent backdoors through stored malicious scripts, and full compromise of the application\u0027s integrity. Version 1.7.1 patches the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-18T21:01:27.566Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/InvoicePlane/InvoicePlane/security/advisories/GHSA-5mxx-553h-m62w",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/InvoicePlane/InvoicePlane/security/advisories/GHSA-5mxx-553h-m62w"
},
{
"name": "https://github.com/InvoicePlane/InvoicePlane/commit/93622f2df88a860d89bfee56012cabb2942061d6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/InvoicePlane/InvoicePlane/commit/93622f2df88a860d89bfee56012cabb2942061d6"
}
],
"source": {
"advisory": "GHSA-5mxx-553h-m62w",
"discovery": "UNKNOWN"
},
"title": "InvoicePlane has a Stored Cross-Site Scripting (XSS) issue"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-24744",
"datePublished": "2026-02-18T21:01:27.566Z",
"dateReserved": "2026-01-26T19:06:16.059Z",
"dateUpdated": "2026-02-20T19:35:24.797Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-24743 (GCVE-0-2026-24743)
Vulnerability from cvelistv5 – Published: 2026-02-18 20:59 – Updated: 2026-02-19 14:58
VLAI?
Title
InvoicePlane has a Stored Cross-Site Scripting (XSS) issue
Summary
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability occurs in the upload Invoice Logo functions of InvoicePlane version 1.7.0. The Upload Invoice Logo function allows the application to upload svg files. Although administrator privileges are required to exploit it, this is still considered a critical vulnerability as it can cause actions such as unauthorized modification of application data, creation of persistent backdoors through stored malicious scripts, and full compromise of the application's integrity. Version 1.7.1 patches the issue.
Severity ?
5.7 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| InvoicePlane | InvoicePlane |
Affected:
= 1.7.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-24743",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-19T14:58:04.399743Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-19T14:58:46.031Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "InvoicePlane",
"vendor": "InvoicePlane",
"versions": [
{
"status": "affected",
"version": "= 1.7.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability occurs in the upload Invoice Logo functions of InvoicePlane version 1.7.0. The Upload Invoice Logo function allows the application to upload svg files. Although administrator privileges are required to exploit it, this is still considered a critical vulnerability as it can cause actions such as unauthorized modification of application data, creation of persistent backdoors through stored malicious scripts, and full compromise of the application\u0027s integrity. Version 1.7.1 patches the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-18T21:02:03.860Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/InvoicePlane/InvoicePlane/security/advisories/GHSA-485m-4725-2428",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/InvoicePlane/InvoicePlane/security/advisories/GHSA-485m-4725-2428"
},
{
"name": "https://github.com/InvoicePlane/InvoicePlane/commit/93622f2df88a860d89bfee56012cabb2942061d6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/InvoicePlane/InvoicePlane/commit/93622f2df88a860d89bfee56012cabb2942061d6"
}
],
"source": {
"advisory": "GHSA-485m-4725-2428",
"discovery": "UNKNOWN"
},
"title": "InvoicePlane has a Stored Cross-Site Scripting (XSS) issue"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-24743",
"datePublished": "2026-02-18T20:59:16.103Z",
"dateReserved": "2026-01-26T19:06:16.059Z",
"dateUpdated": "2026-02-19T14:58:46.031Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-24746 (GCVE-0-2026-24746)
Vulnerability from cvelistv5 – Published: 2026-02-18 20:51 – Updated: 2026-02-18 21:23
VLAI?
Title
InvoicePlane has a Stored Cross-Site Scripting (XSS) issue
Summary
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability occurs in the Edit Quotes functions of InvoicePlane version 1.7.0. In the Editing Quotes function, the application does not validate user input at the quote_number parameter. Although administrator privileges are required to exploit it, this is still considered a critical vulnerability as it can cause actions such as unauthorized modification of application data, creation of persistent backdoors through stored malicious scripts, and full compromise of the application's integrity. Version 1.7.1 patches the issue.
Severity ?
5.7 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| InvoicePlane | InvoicePlane |
Affected:
= 1.7.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-24746",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-18T21:21:54.563121Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-18T21:23:14.039Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "InvoicePlane",
"vendor": "InvoicePlane",
"versions": [
{
"status": "affected",
"version": "= 1.7.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability occurs in the Edit Quotes functions of InvoicePlane version 1.7.0. In the Editing Quotes function, the application does not validate user input at the quote_number parameter. Although administrator privileges are required to exploit it, this is still considered a critical vulnerability as it can cause actions such as unauthorized modification of application data, creation of persistent backdoors through stored malicious scripts, and full compromise of the application\u0027s integrity. Version 1.7.1 patches the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-18T21:04:32.752Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/InvoicePlane/InvoicePlane/security/advisories/GHSA-73x8-gr6v-vjvj",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/InvoicePlane/InvoicePlane/security/advisories/GHSA-73x8-gr6v-vjvj"
},
{
"name": "https://github.com/InvoicePlane/InvoicePlane/commit/93622f2df88a860d89bfee56012cabb2942061d6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/InvoicePlane/InvoicePlane/commit/93622f2df88a860d89bfee56012cabb2942061d6"
}
],
"source": {
"advisory": "GHSA-73x8-gr6v-vjvj",
"discovery": "UNKNOWN"
},
"title": "InvoicePlane has a Stored Cross-Site Scripting (XSS) issue"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-24746",
"datePublished": "2026-02-18T20:51:20.813Z",
"dateReserved": "2026-01-26T19:06:16.059Z",
"dateUpdated": "2026-02-18T21:23:14.039Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23491 (GCVE-0-2026-23491)
Vulnerability from cvelistv5 – Published: 2026-02-18 19:52 – Updated: 2026-02-18 20:50
VLAI?
Title
InvoicePlane has Unauthenticated Path Traversal in Guest Controller
Summary
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A path traversal vulnerability exists in the `get_file` method of the `Guest` module's `Get` controller in InvoicePlane up to and including through 1.6.3. The vulnerability allows unauthenticated attackers to read arbitrary files on the server by manipulating the input filename. This leads to the disclosure of sensitive information, including configuration files with database credentials. Version 1.6.4 fixes the issue.
Severity ?
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| InvoicePlane | InvoicePlane |
Affected:
< 1.6.4
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23491",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-18T20:09:06.932604Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-18T20:09:15.623Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "InvoicePlane",
"vendor": "InvoicePlane",
"versions": [
{
"status": "affected",
"version": "\u003c 1.6.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A path traversal vulnerability exists in the `get_file` method of the `Guest` module\u0027s `Get` controller in InvoicePlane up to and including through 1.6.3. The vulnerability allows unauthenticated attackers to read arbitrary files on the server by manipulating the input filename. This leads to the disclosure of sensitive information, including configuration files with database credentials. Version 1.6.4 fixes the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-18T20:50:36.374Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/InvoicePlane/InvoicePlane/security/advisories/GHSA-88gq-mv54-v3fc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/InvoicePlane/InvoicePlane/security/advisories/GHSA-88gq-mv54-v3fc"
},
{
"name": "https://github.com/InvoicePlane/InvoicePlane/commit/add8bb798dde621f886823065ef1841986543c69",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/InvoicePlane/InvoicePlane/commit/add8bb798dde621f886823065ef1841986543c69"
}
],
"source": {
"advisory": "GHSA-88gq-mv54-v3fc",
"discovery": "UNKNOWN"
},
"title": "InvoicePlane has Unauthenticated Path Traversal in Guest Controller"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-23491",
"datePublished": "2026-02-18T19:52:26.304Z",
"dateReserved": "2026-01-13T15:47:41.628Z",
"dateUpdated": "2026-02-18T20:50:36.374Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-67082 (GCVE-0-2025-67082)
Vulnerability from cvelistv5 – Published: 2026-01-15 00:00 – Updated: 2026-01-15 15:52
VLAI?
Summary
An SQL injection vulnerability in InvoicePlane through 1.6.3 has been identified in "maxQuantity" and "minQuantity" parameters when generating a report. An authenticated attacker can exploit this issue via error-based SQL injection, allowing for the extraction of arbitrary data from the database. The vulnerability arises from insufficient sanitizing of single quotes.
Severity ?
6.5 (Medium)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-67082",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-15T15:50:48.854309Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-15T15:52:21.994Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An SQL injection vulnerability in InvoicePlane through 1.6.3 has been identified in \"maxQuantity\" and \"minQuantity\" parameters when generating a report. An authenticated attacker can exploit this issue via error-based SQL injection, allowing for the extraction of arbitrary data from the database. The vulnerability arises from insufficient sanitizing of single quotes."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-15T15:02:55.575Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/InvoicePlane/InvoicePlane"
},
{
"url": "https://www.helx.io/blog/advisory-invoice-plane/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-67082",
"datePublished": "2026-01-15T00:00:00.000Z",
"dateReserved": "2025-12-08T00:00:00.000Z",
"dateUpdated": "2026-01-15T15:52:21.994Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-67084 (GCVE-0-2025-67084)
Vulnerability from cvelistv5 – Published: 2026-01-15 00:00 – Updated: 2026-01-22 02:57
VLAI?
Summary
File upload vulnerability in InvoicePlane through 1.6.3 allows authenticated attackers to upload arbitrary PHP files into attachments, which can later be executed remotely, leading to Remote Code Execution (RCE).
Severity ?
9.9 (Critical)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-67084",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-22T02:57:09.464121Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-616",
"description": "CWE-616 Incomplete Identification of Uploaded File Variables (PHP)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-22T02:57:13.549Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "File upload vulnerability in InvoicePlane through 1.6.3 allows authenticated attackers to upload arbitrary PHP files into attachments, which can later be executed remotely, leading to Remote Code Execution (RCE)."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-15T15:08:13.105Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/InvoicePlane/InvoicePlane"
},
{
"url": "https://www.helx.io/blog/advisory-invoice-plane/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-67084",
"datePublished": "2026-01-15T00:00:00.000Z",
"dateReserved": "2025-12-08T00:00:00.000Z",
"dateUpdated": "2026-01-22T02:57:13.549Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-67083 (GCVE-0-2025-67083)
Vulnerability from cvelistv5 – Published: 2026-01-15 00:00 – Updated: 2026-01-15 16:08
VLAI?
Summary
Directory traversal vulnerability in InvoicePlane through 1.6.3 allows unauthenticated attackers to read files from the server. The ability to read files and the file type depends on the web server and its configuration.
Severity ?
5.3 (Medium)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-67083",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-15T16:06:34.315967Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-15T16:08:02.045Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Directory traversal vulnerability in InvoicePlane through 1.6.3 allows unauthenticated attackers to read files from the server. The ability to read files and the file type depends on the web server and its configuration."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-15T15:07:20.999Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/InvoicePlane/InvoicePlane"
},
{
"url": "https://www.helx.io/blog/advisory-invoice-plane/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-67083",
"datePublished": "2026-01-15T00:00:00.000Z",
"dateReserved": "2025-12-08T00:00:00.000Z",
"dateUpdated": "2026-01-15T16:08:02.045Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
FKIE_CVE-2025-67082
Vulnerability from fkie_nvd - Published: 2026-01-15 15:15 - Updated: 2026-01-22 16:04
Severity ?
Summary
An SQL injection vulnerability in InvoicePlane through 1.6.3 has been identified in "maxQuantity" and "minQuantity" parameters when generating a report. An authenticated attacker can exploit this issue via error-based SQL injection, allowing for the extraction of arbitrary data from the database. The vulnerability arises from insufficient sanitizing of single quotes.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://github.com/InvoicePlane/InvoicePlane | Product | |
| cve@mitre.org | https://www.helx.io/blog/advisory-invoice-plane/ | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| invoiceplane | invoiceplane | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:invoiceplane:invoiceplane:*:*:*:*:*:*:*:*",
"matchCriteriaId": "17C261C3-0A6B-4D07-8370-DD3C71097DE2",
"versionEndExcluding": "1.6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An SQL injection vulnerability in InvoicePlane through 1.6.3 has been identified in \"maxQuantity\" and \"minQuantity\" parameters when generating a report. An authenticated attacker can exploit this issue via error-based SQL injection, allowing for the extraction of arbitrary data from the database. The vulnerability arises from insufficient sanitizing of single quotes."
}
],
"id": "CVE-2025-67082",
"lastModified": "2026-01-22T16:04:15.340",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2026-01-15T15:15:51.213",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "https://github.com/InvoicePlane/InvoicePlane"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.helx.io/blog/advisory-invoice-plane/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-67084
Vulnerability from fkie_nvd - Published: 2026-01-15 15:15 - Updated: 2026-01-22 16:03
Severity ?
Summary
File upload vulnerability in InvoicePlane through 1.6.3 allows authenticated attackers to upload arbitrary PHP files into attachments, which can later be executed remotely, leading to Remote Code Execution (RCE).
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://github.com/InvoicePlane/InvoicePlane | Product | |
| cve@mitre.org | https://www.helx.io/blog/advisory-invoice-plane/ | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| invoiceplane | invoiceplane | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:invoiceplane:invoiceplane:*:*:*:*:*:*:*:*",
"matchCriteriaId": "17C261C3-0A6B-4D07-8370-DD3C71097DE2",
"versionEndExcluding": "1.6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "File upload vulnerability in InvoicePlane through 1.6.3 allows authenticated attackers to upload arbitrary PHP files into attachments, which can later be executed remotely, leading to Remote Code Execution (RCE)."
}
],
"id": "CVE-2025-67084",
"lastModified": "2026-01-22T16:03:34.310",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 6.0,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2026-01-15T15:15:51.427",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "https://github.com/InvoicePlane/InvoicePlane"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.helx.io/blog/advisory-invoice-plane/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-616"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-67083
Vulnerability from fkie_nvd - Published: 2026-01-15 15:15 - Updated: 2026-01-22 16:03
Severity ?
Summary
Directory traversal vulnerability in InvoicePlane through 1.6.3 allows unauthenticated attackers to read files from the server. The ability to read files and the file type depends on the web server and its configuration.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://github.com/InvoicePlane/InvoicePlane | Product | |
| cve@mitre.org | https://www.helx.io/blog/advisory-invoice-plane/ | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| invoiceplane | invoiceplane | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:invoiceplane:invoiceplane:*:*:*:*:*:*:*:*",
"matchCriteriaId": "17C261C3-0A6B-4D07-8370-DD3C71097DE2",
"versionEndExcluding": "1.6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Directory traversal vulnerability in InvoicePlane through 1.6.3 allows unauthenticated attackers to read files from the server. The ability to read files and the file type depends on the web server and its configuration."
}
],
"id": "CVE-2025-67083",
"lastModified": "2026-01-22T16:03:54.193",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2026-01-15T15:15:51.313",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "https://github.com/InvoicePlane/InvoicePlane"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.helx.io/blog/advisory-invoice-plane/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}