CVE-2026-26281

InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A stored cross-site scripting (XSS) vulnerability in the Sumex invoice view allows an authenticated user with client and invoice management privileges to execute arbitrary JavaScript in the browser of any user viewing the invoice. This can lead to session hijacking, data theft, or other malicious actions on behalf of the victim user. Version 1.7.1 patches the issue.

CVSS v3 4.4 MEDIUM

4.4^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.3 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/InvoicePlane/InvoicePlane/commit/93622f2df88a860d89bfee56012cabb2942061d6	Patch
https://github.com/InvoicePlane/InvoicePlane/security/advisories/GHSA-ccpx-2v5c-cc24	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:invoiceplane:invoiceplane:1.7.0:-:*:*:*:*:*:*

History

No history.

Information

Published : 2026-02-18 23:16

Updated : 2026-02-20 17:14

NVD link : CVE-2026-26281

Mitre link : CVE-2026-26281

CVE.ORG link : CVE-2026-26281

JSON object : View

Products Affected

invoiceplane

invoiceplane

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2026-26281", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 4.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 1.3}]}, "published": "2026-02-18T23:16:20.400", "references": [{"url": "https://github.com/InvoicePlane/InvoicePlane/commit/93622f2df88a860d89bfee56012cabb2942061d6", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/InvoicePlane/InvoicePlane/security/advisories/GHSA-ccpx-2v5c-cc24", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A stored cross-site scripting (XSS) vulnerability in the Sumex invoice view allows an authenticated user with client and invoice management privileges to execute arbitrary JavaScript in the browser of any user viewing the invoice. This can lead to session hijacking, data theft, or other malicious actions on behalf of the victim user. Version 1.7.1 patches the issue."}, {"lang": "es", "value": "InvoicePlane es una aplicaci\u00f3n de c\u00f3digo abierto autoalojada para gestionar facturas, clientes y pagos. Una vulnerabilidad de cross-site scripting (XSS) almacenado en la vista de factura Sumex permite a un usuario autenticado con privilegios de gesti\u00f3n de clientes y facturas ejecutar JavaScript arbitrario en el navegador de cualquier usuario que vea la factura. Esto puede llevar al secuestro de sesi\u00f3n, robo de datos u otras acciones maliciosas en nombre del usuario v\u00edctima. La versi\u00f3n 1.7.1 corrige el problema."}], "lastModified": "2026-02-20T17:14:02.100", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:invoiceplane:invoiceplane:1.7.0:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "95F739B4-399F-459D-BF16-5E225A268320"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}