Description
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability occurs in the Edit Invoices functions of InvoicePlane version 1.7.0. When editing invoices, the application does not validate user input at the `invoice_number` parameter. Although administrator privileges are required to exploit it, this is still considered a critical vulnerability as it can cause actions such as unauthorized modification of application data, creation of persistent backdoors through stored malicious scripts, and full compromise of the application's integrity. Version 1.7.1 patches the issue.
Published: 2026-02-18
Score: 5.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Data Integrity Compromise
Action: Immediate Patch
AI Analysis

Impact

InvoicePlane 1.7.0 suffers a stored cross‑site scripting flaw in the Edit Invoices feature. The application fails to validate user input supplied to the "invoice_number" field, allowing an attacker with administrator privileges to inject malicious scripts that persist in the database. The injected code can modify application data, create persistent back‑doors, and otherwise compromise the integrity of the system.

Affected Systems

The affected product is InvoicePlane, specifically version 1.7.0. Version 1.7.1 contains a patch that corrects the validation failure. No other versions are listed as affected. The vendor is InvoicePlane.

Risk and Exploitability

The vulnerability has a CVSS score of 5.7, indicating average severity. EPSS is less than 1%, suggesting a low chance of exploitation in the wild. It is not listed in the CISA KEV catalog. Exploitation requires administrator credentials, so the attack vector is confined to users who already have elevated privileges. The overall risk is moderate because active administrators might deploy the stored script to hijack sessions or sabotage data, but widespread attack potential is limited by the privilege requirement.

Generated by OpenCVE AI on April 18, 2026 at 17:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to InvoicePlane 1.7.1 or later, which includes input validation for the invoice_number field.
  • Tighten role‑based access controls so that only trusted administrators can edit invoices, reducing the opportunity for script injection.
  • Deploy the upgrade in a staged environment before full production deployment.

Generated by OpenCVE AI on April 18, 2026 at 17:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Feb 2026 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:invoiceplane:invoiceplane:1.7.0:-:*:*:*:*:*:*

Thu, 19 Feb 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Invoiceplane
Invoiceplane invoiceplane
Vendors & Products Invoiceplane
Invoiceplane invoiceplane

Wed, 18 Feb 2026 21:30:00 +0000

Type Values Removed Values Added
Description InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability occurs in the Edit Invoices functions of InvoicePlane version 1.7.0. When editing invoices, the application does not validate user input at the `invoice_number` parameter. Although administrator privileges are required to exploit it, this is still considered a critical vulnerability as it can cause actions such as unauthorized modification of application data, creation of persistent backdoors through stored malicious scripts, and full compromise of the application's integrity. Version 1.7.1 patches the issue.
Title InvoicePlane has a Stored Cross-Site Scripting (XSS) issue
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:H/A:L'}

Subscriptions

Invoiceplane Invoiceplane
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-20T19:35:24.797Z

Reserved: 2026-01-26T19:06:16.059Z

Link: CVE-2026-24744

cve-icon Vulnrichment

Updated: 2026-02-20T19:35:17.173Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-18T22:16:24.820

Modified: 2026-02-20T18:45:14.357

Link: CVE-2026-24744

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T18:00:06Z

Weaknesses