Description
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A stored cross-site scripting (XSS) vulnerability in the Sumex invoice view allows an authenticated user with client and invoice management privileges to execute arbitrary JavaScript in the browser of any user viewing the invoice. This can lead to session hijacking, data theft, or other malicious actions on behalf of the victim user. Version 1.7.1 patches the issue.
Published: 2026-02-18
Score: 4.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting (XSS) that allows execution of arbitrary JavaScript in the browser of any user viewing an invoice
Action: Patch
AI Analysis

Impact

InvoicePlane contains a stored cross‑site scripting flaw in the Sumex invoice view that permits an authenticated user with client and invoice management rights to inject and execute arbitrary JavaScript in the browsers of other users who view the impacted invoice. This capability can lead to session hijacking, data theft, and other malicious actions on behalf of the victim user, exploiting the web application's trust boundary between authenticated user data and client‑side scripts.

Affected Systems

The vulnerable code exists in InvoicePlane version 1.7.0. Users who have been granted client and invoice management privileges on the self‑hosted application are potentially able to create or modify invoices that contain malicious scripts. The issue was addressed and fixed in version 1.7.1 released by the vendor.

Risk and Exploitability

The CVSS score for this vulnerability is 4.4, indicating moderate severity, and the EPSS score is less than 1%, reflecting a low probability of exploitation at the time of analysis. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires the attacker to be an authenticated user with specific privileges, the victim must load the affected invoice, and the attack vector is browser‑side script execution. While the potential impact on confidentiality, integrity, and availability is significant, the likelihood of an attack remains low based on current metrics, though the modest severity warrants timely patching.

Generated by OpenCVE AI on April 17, 2026 at 18:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade InvoicePlane to version 1.7.1 or later to apply the vendor fix
  • Restrict client and invoice management privileges to only trusted users to reduce the number of accounts that can create or modify invoices
  • Add a content‑security‑policy header that disallows inline scripts and restricts script sources to prevent execution of injected code

Generated by OpenCVE AI on April 17, 2026 at 18:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:invoiceplane:invoiceplane:1.7.0:-:*:*:*:*:*:*

Thu, 19 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Feb 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Invoiceplane
Invoiceplane invoiceplane
Vendors & Products Invoiceplane
Invoiceplane invoiceplane

Wed, 18 Feb 2026 23:15:00 +0000

Type Values Removed Values Added
Description InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A stored cross-site scripting (XSS) vulnerability in the Sumex invoice view allows an authenticated user with client and invoice management privileges to execute arbitrary JavaScript in the browser of any user viewing the invoice. This can lead to session hijacking, data theft, or other malicious actions on behalf of the victim user. Version 1.7.1 patches the issue.
Title InvoicePlane has Stored Cross-Site Scripting (XSS) Issue in Sumex Invoice View
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Invoiceplane Invoiceplane
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-19T16:47:43.663Z

Reserved: 2026-02-12T17:10:53.414Z

Link: CVE-2026-26281

cve-icon Vulnrichment

Updated: 2026-02-19T16:47:32.597Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-18T23:16:20.400

Modified: 2026-02-20T17:14:02.100

Link: CVE-2026-26281

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T18:30:05Z

Weaknesses