CVE-2026-25595 - Vulnerability Details

- InvoicePlane has Stored XSS via Invoice Number in Invoice View and Dashboard

Description

InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability exists in InvoicePlane 1.7.0 via the Invoice Number field. An authenticated administrator can inject malicious JavaScript that executes when any administrator views the affected invoice or visits the dashboard. Version 1.7.1 patches the issue.

Published: 2026-02-18

Score: 4.8 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A stored cross‑site scripting flaw exists in the Invoice Number field of InvoicePlane 1.7.0. An authenticated administrator can embed arbitrary JavaScript into an invoice number. When any administrator views the affected invoice or the dashboard, the injected script is executed in their browser, allowing for defacement, cookie theft, or navigation to malicious sites. This is a classic CWE‑79 input‑validation weakness that can compromise confidentiality and integrity for privileged users.

Affected Systems

The vulnerability applies to the self‑hosted open‑source InvoicePlane application, specifically version 1.7.0 and earlier. The affected component is the invoice number input in the invoice view and dashboard. The patch is delivered in version 1.7.1. Administrators who run older releases or have not applied the update are at risk.

Risk and Exploitability

The CVSS score is 4.8, indicating moderate risk. The EPSS score is below 1 %, suggesting that exploitation is unlikely at the time of this analysis. The flaw is not listed in CISA's KEV catalog. An attacker must first authenticate as an administrator; once they do, the stored payload is executed for any other administrator who opens the invoice or visits the dashboard. Without administrative access the vulnerability is not exploitable, so the threat is confined to privileged users.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

InvoicePlane

affected

Version	Status	Constraints
`<= 1.7.0`	affected	—

Configuration 1 [-]

cpe:2.3:a:invoiceplane:invoiceplane:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Invoiceplane

100%

Version	Status	Scheme	Platform
`[0,1.7.0]`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade InvoicePlane to version 1.7.1 or later to apply the vendor patch.
Inspect all existing invoices for malicious script content and either delete or sanitize the invoice numbers in the database.
Verify that the invoice number input field renders safely in the UI; if possible, add output‑encoding or escaping to protect against future injection.

Generated by OpenCVE AI on April 17, 2026 at 18:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00014.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/InvoicePlane/InvoicePlane/commit/93622f2df88a860d89bfee56012cabb2942061d6
https://github.com/InvoicePlane/InvoicePlane/security/advisories/GHSA-xxvr-2564-6jg6

History

Fri, 20 Feb 2026 17:15:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:invoiceplane:invoiceplane::::::::

Thu, 19 Feb 2026 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 19 Feb 2026 10:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Invoiceplane Invoiceplane invoiceplane
Vendors & Products		Invoiceplane Invoiceplane invoiceplane

Wed, 18 Feb 2026 23:15:00 +0000

Type	Values Removed	Values Added
Description		InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability exists in InvoicePlane 1.7.0 via the Invoice Number field. An authenticated administrator can inject malicious JavaScript that executes when any administrator views the affected invoice or visits the dashboard. Version 1.7.1 patches the issue.
Title		InvoicePlane has Stored XSS via Invoice Number in Invoice View and Dashboard
Weaknesses		CWE-79
References		https://github.com/InvoicePlane/InvoicePlane/commit/93622f2df88a860d89bfee56012cabb2942061d6 https://github.com/InvoicePlane/InvoicePlane/security/advisories/GHSA-xxvr-2564-6jg6
Metrics		cvssV3_1 `{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N'}`

Subscriptions

Invoiceplane Invoiceplane

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-02-18T22:52:27.047Z

Updated: 2026-02-19T17:45:39.099Z

Reserved: 2026-02-03T01:02:46.717Z

Link: CVE-2026-25595

Vulnrichment

Updated: 2026-02-19T17:05:07.388Z

NVD

Status : Analyzed

Published: 2026-02-18T23:16:19.910

Modified: 2026-02-20T17:07:50.597

Link: CVE-2026-25595

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-17T18:30:05Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object