InvoicePlane versions before 1.7.1 store unsanitized input in the Identifier Format field. An authenticated user who can manage Invoice Groups can insert arbitrary JavaScript. When any user opens the invoice list or main dashboard the stored script runs in that user’s browser, allowing attackers to hijack sessions, deface the interface, or execute further client‑side attacks. The flaw therefore grants a cross‑site scripting flaw that can be abused by users with appropriate permissions. Based on the description, it is inferred that the attacker must first be authenticated and have permission to manage invoice groups to perform the injection.

The affected product is InvoicePlane from the InvoicePlane vendor. All releases prior to version 1.7.1, including 1.7.0, are vulnerable. Users should verify whether their instance is running a patched version.

The CVSS score of 5.4 indicates a moderate severity. The EPSS score of less than 1% suggests the likelihood of exploitation is low, and the vulnerability is not currently listed in CISA’s KEV catalog. Exploitation requires an authenticated user with permissions to manage Invoice Groups; the attacker can then embed malicious code that is executed whenever any user views the invoice list or main dashboard. Based on the description, it is inferred that the attacker must be authenticated and have group management rights to embed malicious code. Because the attack vector is limited to users with specific privileges, it is less likely to be publicly exploited but still poses an internal risk to the organization.