InvoicePlane is a self‑hosted invoicing platform that allows administrators to manage invoices, clients, and payments. A stored cross‑site scripting flaw exists in version 1.7.0. It occurs when an administrator creates or edits a product unit name; the value is saved without proper output encoding and is later rendered unescaped in the invoice item list. An attacker who has authenticated administrator rights can inject arbitrary JavaScript, which is executed in the browser of any administrator who views an invoice that contains a product with a malicious unit name. The flaw is identified as CWE‑79, allowing the attacker to alter user‑agent behavior, steal session cookies, or deface the application.

Only the 1.7.0 release of InvoicePlane is affected. The vendor product is InvoicePlane, and the vulnerable component is the product unit name input used in the invoice item list. Version 1.7.1 includes a patch that removes the vulnerability.

The CVSS score is 4.8, classifying it as a medium severity issue, while the EPSS score is less than 1 %, indicating a very low exploitation probability. The vulnerability requires authenticated administrative privileges, so it is not remotely exploitable by unauthenticated users. Because the flaw enables arbitrary script execution only in the administrator’s browser, the immediate impact is limited to accounts that have invoicing rights. The flaw is not listed in the CISA KEV catalog, so no known active exploitation campaigns have been reported yet. Nonetheless, because any administrator viewing an affected invoice can become a vector for further attacks, the risk warrants timely patching.