Description
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability occurs in the upload Invoice Logo functions of InvoicePlane version 1.7.0. The Upload Invoice Logo function allows the application to upload svg files. Although administrator privileges are required to exploit it, this is still considered a critical vulnerability as it can cause actions such as unauthorized modification of application data, creation of persistent backdoors through stored malicious scripts, and full compromise of the application's integrity. Version 1.7.1 patches the issue.
Published: 2026-02-18
Score: 5.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting that can compromise application data and integrity
Action: Immediate Patch
AI Analysis

Impact

InvoicePlane version 1.7.0 contains a stored cross‑site scripting flaw in the invoice logo upload function; the application accepts uploaded SVG files that can embed JavaScript. An attacker with administrative privileges can upload a malicious SVG, cause the embedded script to run in authenticated users’ browsers, and thereby manipulate application data or establish persistent backdoors.

Affected Systems

The vulnerability affects the InvoicePlane application, specifically version 1.7.0. The vendor has released version 1.7.1 to patch the issue.

Risk and Exploitability

The CVSS score of 5.7 indicates medium severity, and the EPSS score of less than 1 % suggests a very low current exploitation probability. The vulnerability is not listed in CISA’s Known Exploited Vulnerabilities catalog, so no active exploitation campaign is confirmed. Attackers must be authenticated administrators to exploit the flaw, which limits the attack surface but still allows them to run arbitrary JavaScript in the context of any logged‑in user, giving them the ability to modify data or implant persistent malicious code.

Generated by OpenCVE AI on April 17, 2026 at 18:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official vendor patch by upgrading InvoicePlane to version 1.7.1
  • If an upgrade cannot be performed immediately, block the upload of SVG files and restrict image uploads to safe formats such as PNG or JPEG
  • Deploy a web application firewall or equivalent XSS filtering that blocks script payloads in uploaded files

Generated by OpenCVE AI on April 17, 2026 at 18:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Feb 2026 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:invoiceplane:invoiceplane:1.7.0:-:*:*:*:*:*:*

Thu, 19 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Feb 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Invoiceplane
Invoiceplane invoiceplane
Vendors & Products Invoiceplane
Invoiceplane invoiceplane

Wed, 18 Feb 2026 21:30:00 +0000

Type Values Removed Values Added
Description InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability occurs in the upload Invoice Logo functions of InvoicePlane version 1.7.0. The Upload Invoice Logo function allows the application to upload svg files. Although administrator privileges are required to exploit it, this is still considered a critical vulnerability as it can cause actions such as unauthorized modification of application data, creation of persistent backdoors through stored malicious scripts, and full compromise of the application's integrity. Version 1.7.1 patches the issue.
Title InvoicePlane has a Stored Cross-Site Scripting (XSS) issue
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:H/A:L'}

Subscriptions

Invoiceplane Invoiceplane
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-19T14:58:46.031Z

Reserved: 2026-01-26T19:06:16.059Z

Link: CVE-2026-24743

cve-icon Vulnrichment

Updated: 2026-02-19T14:58:31.241Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-18T22:16:24.660

Modified: 2026-02-20T18:39:46.053

Link: CVE-2026-24743

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T18:30:05Z

Weaknesses