CVE-2026-26270

Medium CVSS: 5.4

InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability exists in InvoicePlane (latest version) that allows an authenticated user with permissions to manage Invoice Groups to inject malicious JavaScript into the "Identifier Format" field. This script executes when any user views the invoice list or the main dashboard. Version 1.7.1 patches the issue.

Vendor

Invoiceplane

Product

Invoiceplane

CWE

CWE-79

Yayın Tarihi

2026-02-18 23:16:20

Güncelleme

2026-02-20 17:13:26

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-79 Invoiceplane MEDIUM Invoiceplane 2026

Referanslar

https://github.com/InvoicePlane/InvoicePlane/commit/93622f2df88a860d89bfee56012cabb2942061d6 https://github.com/InvoicePlane/InvoicePlane/security/advisories/GHSA-432m-jv69-qp5j

Benzer Kayıtlar

Medium

CVE-2026-25596

InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site…

Medium

CVE-2026-26281

InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A stored cross-site…

Medium

CVE-2026-24745

InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site…

Critical

CVE-2026-25548

InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A critical Remote Co…

Medium

CVE-2026-25594

InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site…

Medium

CVE-2026-25595

InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site…