Invoiceplane

InvoicePlane 1.7.1: Stored XSS in Sumex Invoice View
CVE-2026-26281 4.4 - Medium - February 18, 2026

InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A stored cross-site scripting (XSS) vulnerability in the Sumex invoice view allows an authenticated user with client and invoice management privileges to execute arbitrary JavaScript in the browser of any user viewing the invoice. This can lead to session hijacking, data theft, or other malicious actions on behalf of the victim user. Version 1.7.1 patches the issue.

XSS

InvoicePlane Stored XSS in Identifier Format Field (pre-1.7.1)
CVE-2026-26270 5.4 - Medium - February 18, 2026

InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability exists in InvoicePlane (latest version) that allows an authenticated user with permissions to manage Invoice Groups to inject malicious JavaScript into the "Identifier Format" field. This script executes when any user views the invoice list or the main dashboard. Version 1.7.1 patches the issue.

XSS

Stored XSS in InvoicePlane 1.7.0 via Product Unit Name, fixed in 1.7.1
CVE-2026-25596 4.8 - Medium - February 18, 2026

InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability exists in InvoicePlane 1.7.0 via the Product Unit Name fields. An authenticated administrator can inject malicious JavaScript that executes when any administrator views an invoice containing a product with the malicious unit. Version 1.7.1 patches the issue.

XSS

InvoicePlane 1.7.0 XSS via Invoice Number field (fixed in 1.7.1)
CVE-2026-25595 4.8 - Medium - February 18, 2026

InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability exists in InvoicePlane 1.7.0 via the Invoice Number field. An authenticated administrator can inject malicious JavaScript that executes when any administrator views the affected invoice or visits the dashboard. Version 1.7.1 patches the issue.

XSS

InvoicePlane 1.7.0 - Stored XSS via Family Name Field
CVE-2026-25594 4.8 - Medium - February 18, 2026

InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability exists in InvoicePlane 1.7.0 via the Family Name field. The `family_name` value is rendered without HTML encoding inside the family dropdown on the product form. When an administrator creates a family with a malicious name, the payload executes in the browser of any administrator who visits the product form. Version 1.7.1 patches the issue.

XSS

InvoicePlane 1.7.0 RCE via LFI+LogPoisoning
CVE-2026-25548 9.1 - Critical - February 18, 2026

InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A critical Remote Code Execution (RCE) vulnerability exists in InvoicePlane 1.7.0 through a chained Local File Inclusion (LFI) and Log Poisoning attack. An authenticated administrator can execute arbitrary system commands on the server by manipulating the `public_invoice_template` setting to include poisoned log files containing PHP code. Version 1.7.1 patches the issue.

Code Injection

InvoicePlane 1.7.0 XSS via SVG Upload in Login Logo
CVE-2026-24745 5.7 - Medium - February 18, 2026

InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability occurs in the upload Login Logo functions of InvoicePlane version 1.7.0. In the Upload Login Logo, the application allows uploading svg files. Although administrator privileges are required to exploit it, this is still considered a critical vulnerability as it can cause actions such as unauthorized modification of application data, creation of persistent backdoors through stored malicious scripts, and full compromise of the application's integrity. Version 1.7.1 patches the issue.

XSS

InvoicePlane 1.7.0 XSS via invoice_number edit param
CVE-2026-24744 5.7 - Medium - February 18, 2026

InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability occurs in the Edit Invoices functions of InvoicePlane version 1.7.0. When editing invoices, the application does not validate user input at the `invoice_number` parameter. Although administrator privileges are required to exploit it, this is still considered a critical vulnerability as it can cause actions such as unauthorized modification of application data, creation of persistent backdoors through stored malicious scripts, and full compromise of the application's integrity. Version 1.7.1 patches the issue.

XSS

InvoicePlane 1.7.0 XSS via SVG logo upload (admin only) patched in 1.7.1
CVE-2026-24743 5.7 - Medium - February 18, 2026

InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability occurs in the upload Invoice Logo functions of InvoicePlane version 1.7.0. The Upload Invoice Logo function allows the application to upload svg files. Although administrator privileges are required to exploit it, this is still considered a critical vulnerability as it can cause actions such as unauthorized modification of application data, creation of persistent backdoors through stored malicious scripts, and full compromise of the application's integrity. Version 1.7.1 patches the issue.

XSS

InvoicePlane 1.7.0 XSS in Edit Quotes (quote_number) fixed in 1.7.1
CVE-2026-24746 5.7 - Medium - February 18, 2026

InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability occurs in the Edit Quotes functions of InvoicePlane version 1.7.0. In the Editing Quotes function, the application does not validate user input at the quote_number parameter. Although administrator privileges are required to exploit it, this is still considered a critical vulnerability as it can cause actions such as unauthorized modification of application data, creation of persistent backdoors through stored malicious scripts, and full compromise of the application's integrity. Version 1.7.1 patches the issue.

XSS

InvoicePlane 1.6.3: Guest::Get Path Traversal lets unauth read files
CVE-2026-23491 - February 18, 2026

InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A path traversal vulnerability exists in the `get_file` method of the `Guest` module's `Get` controller in InvoicePlane up to and including through 1.6.3. The vulnerability allows unauthenticated attackers to read arbitrary files on the server by manipulating the input filename. This leads to the disclosure of sensitive information, including configuration files with database credentials. Version 1.6.4 fixes the issue.

Directory traversal

InvoicePlane 1.6.3: SQLi via minQuantity/maxQuantity in Report
CVE-2025-67082 6.5 - Medium - January 15, 2026

An SQL injection vulnerability in InvoicePlane through 1.6.3 has been identified in "maxQuantity" and "minQuantity" parameters when generating a report. An authenticated attacker can exploit this issue via error-based SQL injection, allowing for the extraction of arbitrary data from the database. The vulnerability arises from insufficient sanitizing of single quotes.

SQL Injection

InvoicePlane <=1.6.3 Dir Traversal Vulnerability
CVE-2025-67083 5.3 - Medium - January 15, 2026

Directory traversal vulnerability in InvoicePlane through 1.6.3 allows unauthenticated attackers to read files from the server. The ability to read files and the file type depends on the web server and its configuration.

Directory traversal

InvoicePlane <=1.6.3: Arbitrary PHP Upload in attachments RCE
CVE-2025-67084 9.9 - Critical - January 15, 2026

File upload vulnerability in InvoicePlane through 1.6.3 allows authenticated attackers to upload arbitrary PHP files into attachments, which can later be executed remotely, leading to Remote Code Execution (RCE).

PHP

InvoicePlane Incorrect Access Control in Invoices/View Handler
CVE-2025-64012 4.3 - Medium - December 16, 2025

InvoicePlane commit debb446c is vulnerable to Incorrect Access Control. The invoices/view handler fails to verify ownership before returning invoice data.

Insecure Direct Object Reference / IDOR

InvoicePlane RCE via Upload_File before 1.6.11
CVE-2024-56975 - March 28, 2025

InvoicePlane (all versions tested as of December 2024) v.1.6.11 and before contains a remote code execution vulnerability in the upload_file method of the Upload controller.

InvoicePlane Session Expiration Vulnerability in Invoices View
CVE-2024-12667 5.9 - Medium - December 16, 2024

A vulnerability was found in InvoicePlane up to 1.6.1 and classified as problematic. Affected by this issue is some unknown functionality of the file /invoices/view. The manipulation leads to session expiration. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 1.6.2-beta-1 is able to address this issue. It is recommended to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.

Insufficient Session Expiration

InvoicePlane Unrestricted File Upload Vulnerability in upload_file Function
CVE-2024-12478 - December 16, 2024

A vulnerability was found in InvoicePlane up to 1.6.1. It has been declared as critical. This vulnerability affects the function upload_file of the file /index.php/upload/upload_file/1/1. The manipulation of the argument file leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.6.2-beta-1 is able to address this issue. It is recommended to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.

Authorization

InvoicePlane Path Traversal Vulnerability in invoices.php
CVE-2024-12362 - December 16, 2024

A vulnerability was found in InvoicePlane up to 1.6.1. It has been classified as problematic. This affects the function download of the file invoices.php. The manipulation of the argument invoice leads to path traversal. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.6.2-beta-1 is able to address this issue. It is recommended to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.

Directory traversal

InvoicePlane 1.6 XSS via filter_product in modal_product_lookups.php
CVE-2023-23011 6.1 - Medium - February 07, 2023

Cross Site Scripting (XSS) vulnerability in InvoicePlane 1.6 via filter_product input to file modal_product_lookups.php.

XSS

InvoicePlane 1.5.11 doesn't have any rate-limiting for password reset and the reset token is generated using a weak mechanism
CVE-2021-29023 5.3 - Medium - May 17, 2021

InvoicePlane 1.5.11 doesn't have any rate-limiting for password reset and the reset token is generated using a weak mechanism that is predictable.

Improper Restriction of Excessive Authentication Attempts

In InvoicePlane 1.5.11 a misconfigured web server allows unauthenticated directory listing and file download
CVE-2021-29024 7.5 - High - May 17, 2021

In InvoicePlane 1.5.11 a misconfigured web server allows unauthenticated directory listing and file download. Allowing an attacker to directory traversal and download files suppose to be private without authentication.

Files or Directories Accessible to External Parties

In InvoicePlane 1.5.11
CVE-2021-29022 5.3 - Medium - May 10, 2021

In InvoicePlane 1.5.11, the upload feature discloses the full path of the file upload directory.

Unrestricted File Upload

InvoicePlane 1.5 has stored XSS
CVE-2019-7223 5.4 - Medium - March 21, 2019

InvoicePlane 1.5 has stored XSS via the index.php/invoices/ajax/save invoice_password parameter, aka the "PDF password" field to the "Create Invoice" option. The XSS payload is rendered at an index.php/invoices/view/## URI. NOTE: this is different from CVE-2018-12255.

XSS

An XSS issue was discovered in InvoicePlane 1.5.10
CVE-2018-12255 6.1 - Medium - July 03, 2018

An XSS issue was discovered in InvoicePlane 1.5.10 via the "Quote PDF Password(Optional)" field.

XSS