Description
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability occurs in the Edit Quotes functions of InvoicePlane version 1.7.0. In the Editing Quotes function, the application does not validate user input at the quote_number parameter. Although administrator privileges are required to exploit it, this is still considered a critical vulnerability as it can cause actions such as unauthorized modification of application data, creation of persistent backdoors through stored malicious scripts, and full compromise of the application's integrity. Version 1.7.1 patches the issue.
Published: 2026-02-18
Score: 5.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Application Compromise via Stored XSS
Action: Patch
AI Analysis

Impact

A stored cross-site scripting flaw exists in the Edit Quotes functionality of InvoicePlane version 1.7.0. The quote_number input is not validated, allowing an attacker who can submit data to inject arbitrary scripts that are then rendered when the quote is viewed. Because the vulnerability requires administrator privileges to inject the payload, the potential impact is limited to users who can access the admin interface, but once exploited the attacker can alter stored data, inject persistent backdoors, and fully compromise the integrity of the application.

Affected Systems

The specific affected product is InvoicePlane, a self-hosted invoicing application. Only installations running version 1.7.0 are vulnerable; the issue is fixed in version 1.7.1 and later.

Risk and Exploitability

The advisory rates the flaw with a CVSS base score of 5.7, indicating moderate severity. The EPSS score is below 1 %, suggesting a low probability of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is a web application interface that accepts user input; an attacker must first gain administrator access to reach the Edit Quotes functionality. If successful, the stored script can run in the browser of any user who views the edited quote, enabling data tampering and backdoor persistence. Overall, the risk is moderate, but the potential for significant impact warrants prompt remediation.

Generated by OpenCVE AI on April 17, 2026 at 18:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update InvoicePlane to version 1.7.1 or later to remove the input validation flaw.
  • Limit admin access to the Edit Quotes function so that only trusted users can submit data.
  • Apply input sanitization or an XSS filtering library to the quote_number field to block script injection while awaiting a patch.

Generated by OpenCVE AI on April 17, 2026 at 18:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Feb 2026 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:invoiceplane:invoiceplane:1.7.0:-:*:*:*:*:*:*

Thu, 19 Feb 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Invoiceplane
Invoiceplane invoiceplane
Vendors & Products Invoiceplane
Invoiceplane invoiceplane

Wed, 18 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 18 Feb 2026 21:30:00 +0000

Type Values Removed Values Added
Description InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability occurs in the Edit Quotes functions of InvoicePlane version 1.7.0. Although administrator privileges are required to exploit it, this is still considered a critical vulnerability as it can cause actions such as unauthorized modification of application data, creation of persistent backdoors through stored malicious scripts, and full compromise of the application's integrity. Version 1.7.1 patches the issue. InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability occurs in the Edit Quotes functions of InvoicePlane version 1.7.0. In the Editing Quotes function, the application does not validate user input at the quote_number parameter. Although administrator privileges are required to exploit it, this is still considered a critical vulnerability as it can cause actions such as unauthorized modification of application data, creation of persistent backdoors through stored malicious scripts, and full compromise of the application's integrity. Version 1.7.1 patches the issue.

Wed, 18 Feb 2026 21:00:00 +0000

Type Values Removed Values Added
Description InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability occurs in the Edit Quotes functions of InvoicePlane version 1.7.0. Although administrator privileges are required to exploit it, this is still considered a critical vulnerability as it can cause actions such as unauthorized modification of application data, creation of persistent backdoors through stored malicious scripts, and full compromise of the application's integrity. Version 1.7.1 patches the issue.
Title InvoicePlane has a Stored Cross-Site Scripting (XSS) issue
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:H/A:L'}

Subscriptions

Invoiceplane Invoiceplane
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-18T21:23:14.039Z

Reserved: 2026-01-26T19:06:16.059Z

Link: CVE-2026-24746

cve-icon Vulnrichment

Updated: 2026-02-18T21:22:04.078Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-18T21:16:24.357

Modified: 2026-02-20T18:33:43.350

Link: CVE-2026-24746

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T18:30:05Z

Weaknesses