CVE-2026-25594 - Vulnerability Details

- InvoicePlane has Stored XSS via Family Name in Product Form

Description

InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability exists in InvoicePlane 1.7.0 via the Family Name field. The `family_name` value is rendered without HTML encoding inside the family dropdown on the product form. When an administrator creates a family with a malicious name, the payload executes in the browser of any administrator who visits the product form. Version 1.7.1 patches the issue.

Published: 2026-02-18

Score: 4.8 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is a stored cross‑site scripting flaw stemming from the Family Name field in the product form. When an administrator creates a family with a maliciously crafted name, the name is rendered without HTML encoding in the family dropdown. The payload then executes in any administrator’s browser that opens the product form, enabling an attacker to run arbitrary client‑side scripts, steal session data or deface the UI. This accomplishes malicious code execution on the user’s browser, impacting authentication and session integrity for privileged users.

Affected Systems

The affected product is InvoicePlane, version 1.7.0. The issue is resolved in 1.7.1. The product is a self‑hosted web application for invoice management.

Risk and Exploitability

The CVSS score of 4.8 indicates moderate severity; however the EPSS score is below 1%, suggesting a low probability of mass exploitation. The flaw is currently not listed in the CISA KEV catalog. Attack requires an authenticated administrator to create a malicious family name, after which any admin browsing the product form will trigger the script. The vulnerability is limited to the web browser context of privileged users and does not directly expose server‑side data or privilege escalation beyond the affected tenant.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

InvoicePlane

affected

Version	Status	Constraints
`<= 1.7.0`	affected	—

Configuration 1 [-]

cpe:2.3:a:invoiceplane:invoiceplane:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Invoiceplane

100%

Version	Status	Scheme	Platform
`[0,1.7.0]`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade InvoicePlane to version 1.7.1 or later
Audit existing family names and remove any that contain script or HTML markup
Monitor the application for suspicious family name entries and verify that the dropdown is properly encoded

Generated by OpenCVE AI on April 18, 2026 at 11:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00016.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/InvoicePlane/InvoicePlane/commit/93622f2df88a860d89bfee56012cabb2942061d6
https://github.com/InvoicePlane/InvoicePlane/security/advisories/GHSA-wrr7-2f27-8h94

History

Fri, 20 Feb 2026 17:15:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:invoiceplane:invoiceplane::::::::

Thu, 19 Feb 2026 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 19 Feb 2026 10:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Invoiceplane Invoiceplane invoiceplane
Vendors & Products		Invoiceplane Invoiceplane invoiceplane

Wed, 18 Feb 2026 23:15:00 +0000

Type	Values Removed	Values Added
Description		InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability exists in InvoicePlane 1.7.0 via the Family Name field. The `family_name` value is rendered without HTML encoding inside the family dropdown on the product form. When an administrator creates a family with a malicious name, the payload executes in the browser of any administrator who visits the product form. Version 1.7.1 patches the issue.
Title		InvoicePlane has Stored XSS via Family Name in Product Form
Weaknesses		CWE-79
References		https://github.com/InvoicePlane/InvoicePlane/commit/93622f2df88a860d89bfee56012cabb2942061d6 https://github.com/InvoicePlane/InvoicePlane/security/advisories/GHSA-wrr7-2f27-8h94
Metrics		cvssV3_1 `{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N'}`

Subscriptions

Invoiceplane Invoiceplane

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-02-18T22:50:45.523Z

Updated: 2026-02-19T17:45:49.423Z

Reserved: 2026-02-03T01:02:46.716Z

Link: CVE-2026-25594

Vulnrichment

Updated: 2026-02-19T17:05:10.771Z

NVD

Status : Analyzed

Published: 2026-02-18T23:16:19.747

Modified: 2026-02-20T17:07:45.483

Link: CVE-2026-25594

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T12:00:05Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object