Description
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability occurs in the upload Login Logo functions of InvoicePlane version 1.7.0. In the Upload Login Logo, the application allows uploading svg files. Although administrator privileges are required to exploit it, this is still considered a critical vulnerability as it can cause actions such as unauthorized modification of application data, creation of persistent backdoors through stored malicious scripts, and full compromise of the application's integrity. Version 1.7.1 patches the issue.
Published: 2026-02-18
Score: 5.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting allowing execution of malicious scripts in the application context
Action: Patch
AI Analysis

Impact

InvoicePlane 1.7.0 permits administrators to upload SVG files as the login logo; an attacker can embed malicious SVG containing script, which is then rendered and stored in the system. When any user accesses the site, the malicious code executes under the user's browser context, enabling the attacker to modify application data, create persistent backdoors, or otherwise compromise the application's integrity. This vulnerability aligns with CWE‑79, representing a stored XSS flaw.

Affected Systems

The affected product is the self‑hosted open‑source InvoicePlane application, specifically version 1.7.0. Version 1.7.1 includes a patch that resolves the issue. No other versions are listed as affected.

Risk and Exploitability

The CVSS score of 5.7 reflects moderate impact, while the EPSS score of less than 1% indicates a low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires administrator privileges to upload a malicious SVG; once stored, the script runs for all users, making the attack vector administrative and file‑upload based rather than public network accessible.

Generated by OpenCVE AI on April 17, 2026 at 18:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to InvoicePlane 1.7.1 or later to eliminate the vulnerability.
  • If upgrading immediately is not feasible, block SVG uploads for the login logo or enforce strict MIME type validation to exclude XML-based content.
  • Restrict administrator accounts, audit upload activity, and monitor for unauthorized login‑logo changes.

Generated by OpenCVE AI on April 17, 2026 at 18:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Feb 2026 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:invoiceplane:invoiceplane:1.7.0:-:*:*:*:*:*:*

Thu, 19 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Feb 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Invoiceplane
Invoiceplane invoiceplane
Vendors & Products Invoiceplane
Invoiceplane invoiceplane

Wed, 18 Feb 2026 23:00:00 +0000

Type Values Removed Values Added
Description InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability occurs in the upload Login Logo functions of InvoicePlane version 1.7.0. In the Upload Login Logo, the application allows uploading svg files. Although administrator privileges are required to exploit it, this is still considered a critical vulnerability as it can cause actions such as unauthorized modification of application data, creation of persistent backdoors through stored malicious scripts, and full compromise of the application's integrity. Version 1.7.1 patches the issue.
Title InvoicePlane has a Stored Cross-Site Scripting (XSS) issue
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:H/A:L'}

Subscriptions

Invoiceplane Invoiceplane
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-19T16:14:50.756Z

Reserved: 2026-01-26T19:06:16.059Z

Link: CVE-2026-24745

cve-icon Vulnrichment

Updated: 2026-02-19T16:14:43.004Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-18T23:16:19.407

Modified: 2026-02-20T18:45:21.533

Link: CVE-2026-24745

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T18:30:05Z

Weaknesses