CVE-2026-25596

InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability exists in InvoicePlane 1.7.0 via the Product Unit Name fields. An authenticated administrator can inject malicious JavaScript that executes when any administrator views an invoice containing a product with the malicious unit. Version 1.7.1 patches the issue.

CVSS v3 4.8 MEDIUM

4.8^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.7 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/InvoicePlane/InvoicePlane/commit/93622f2df88a860d89bfee56012cabb2942061d6	Patch
https://github.com/InvoicePlane/InvoicePlane/security/advisories/GHSA-3wjq-822q-98f4	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:invoiceplane:invoiceplane:*:*:*:*:*:*:*:*

History

20 Feb 2026, 17:07

Type	Values Removed	Values Added
CPE		cpe:2.3:a:invoiceplane:invoiceplane::::::::
First Time		Invoiceplane invoiceplane Invoiceplane
References	~~() https://github.com/InvoicePlane/InvoicePlane/commit/93622f2df88a860d89bfee56012cabb2942061d6 -~~	() https://github.com/InvoicePlane/InvoicePlane/commit/93622f2df88a860d89bfee56012cabb2942061d6 - Patch
References	~~() https://github.com/InvoicePlane/InvoicePlane/security/advisories/GHSA-3wjq-822q-98f4 -~~	() https://github.com/InvoicePlane/InvoicePlane/security/advisories/GHSA-3wjq-822q-98f4 - Exploit, Vendor Advisory
Summary		(es) InvoicePlane es una aplicación de código abierto autoalojada para gestionar facturas, clientes y pagos. Una vulnerabilidad de cross-site scripting (XSS) almacenado existe en InvoicePlane 1.7.0 a través de los campos Product Unit Name. Un administrador autenticado puede inyectar JavaScript malicioso que se ejecuta cuando cualquier administrador ve una factura que contiene un producto con la unidad maliciosa. La versión 1.7.1 soluciona el problema.

18 Feb 2026, 23:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-18 23:16

Updated : 2026-02-20 17:07

NVD link : CVE-2026-25596

Mitre link : CVE-2026-25596

CVE.ORG link : CVE-2026-25596

JSON object : View

Products Affected

invoiceplane

invoiceplane

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

4.8 /10