CVE-2026-25595

Medium CVSS: 4.8

InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability exists in InvoicePlane 1.7.0 via the Invoice Number field. An authenticated administrator can inject malicious JavaScript that executes when any administrator views the affected invoice or visits the dashboard. Version 1.7.1 patches the issue.

Vendor

Invoiceplane

Product

Invoiceplane

CWE

CWE-79

Yayın Tarihi

2026-02-18 23:16:19

Güncelleme

2026-02-20 17:07:50

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-79 Invoiceplane MEDIUM Invoiceplane 2026

Referanslar

https://github.com/InvoicePlane/InvoicePlane/commit/93622f2df88a860d89bfee56012cabb2942061d6 https://github.com/InvoicePlane/InvoicePlane/security/advisories/GHSA-xxvr-2564-6jg6

Benzer Kayıtlar

Medium

CVE-2026-25596

InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site…

Medium

CVE-2026-26270

InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site…

Medium

CVE-2026-26281

InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A stored cross-site…

Medium

CVE-2026-24745

InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site…

Critical

CVE-2026-25548

InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A critical Remote Co…

Medium

CVE-2026-25594

InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site…