CVE-2026-25596

InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability exists in InvoicePlane 1.7.0 via the Product Unit Name fields. An authenticated administrator can inject malicious JavaScript that executes when any administrator views an invoice containing a product with the malicious unit. Version 1.7.1 patches the issue.

CVSS v3 4.8 MEDIUM

4.8^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.7 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/InvoicePlane/InvoicePlane/commit/93622f2df88a860d89bfee56012cabb2942061d6	Patch
https://github.com/InvoicePlane/InvoicePlane/security/advisories/GHSA-3wjq-822q-98f4	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:invoiceplane:invoiceplane:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-02-18 23:16

Updated : 2026-02-20 17:07

NVD link : CVE-2026-25596

Mitre link : CVE-2026-25596

CVE.ORG link : CVE-2026-25596

JSON object : View

Products Affected

invoiceplane

invoiceplane

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2026-25596", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 4.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 1.7}]}, "published": "2026-02-18T23:16:20.073", "references": [{"url": "https://github.com/InvoicePlane/InvoicePlane/commit/93622f2df88a860d89bfee56012cabb2942061d6", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/InvoicePlane/InvoicePlane/security/advisories/GHSA-3wjq-822q-98f4", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability exists in InvoicePlane 1.7.0 via the Product Unit Name fields. An authenticated administrator can inject malicious JavaScript that executes when any administrator views an invoice containing a product with the malicious unit. Version 1.7.1 patches the issue."}, {"lang": "es", "value": "InvoicePlane es una aplicaci\u00f3n de c\u00f3digo abierto autoalojada para gestionar facturas, clientes y pagos. Una vulnerabilidad de cross-site scripting (XSS) almacenado existe en InvoicePlane 1.7.0 a trav\u00e9s de los campos Product Unit Name. Un administrador autenticado puede inyectar JavaScript malicioso que se ejecuta cuando cualquier administrador ve una factura que contiene un producto con la unidad maliciosa. La versi\u00f3n 1.7.1 soluciona el problema."}], "lastModified": "2026-02-20T17:07:57.800", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:invoiceplane:invoiceplane:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "200F4F45-C04E-4F4E-9DF4-CE8D5ABEDB9F", "versionEndExcluding": "1.7.1"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}