Niels Drost

12 exploits Active since Dec 2025
CVE-2026-23491 WRITEUP HIGH WRITEUP
InvoicePlane <=1.6.3 - Path Traversal
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A path traversal vulnerability exists in the `get_file` method of the `Guest` module's `Get` controller in InvoicePlane up to and including through 1.6.3. The vulnerability allows unauthenticated attackers to read arbitrary files on the server by manipulating the input filename. This leads to the disclosure of sensitive information, including configuration files with database credentials. Version 1.6.4 fixes the issue.
CVSS 7.5
CVE-2026-24743 WRITEUP MEDIUM WRITEUP
InvoicePlane 1.7.0 - Authenticated Stored Cross-Site Scripting via Invoice Logo Upload
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability occurs in the upload Invoice Logo functions of InvoicePlane version 1.7.0. The Upload Invoice Logo function allows the application to upload svg files. Although administrator privileges are required to exploit it, this is still considered a critical vulnerability as it can cause actions such as unauthorized modification of application data, creation of persistent backdoors through stored malicious scripts, and full compromise of the application's integrity. Version 1.7.1 patches the issue.
CVSS 5.7
CVE-2026-24744 WRITEUP MEDIUM WRITEUP
InvoicePlane 1.7.0 - Authenticated Stored Cross-Site Scripting via Invoice Number Parameter
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability occurs in the Edit Invoices functions of InvoicePlane version 1.7.0. When editing invoices, the application does not validate user input at the `invoice_number` parameter. Although administrator privileges are required to exploit it, this is still considered a critical vulnerability as it can cause actions such as unauthorized modification of application data, creation of persistent backdoors through stored malicious scripts, and full compromise of the application's integrity. Version 1.7.1 patches the issue.
CVSS 5.7
CVE-2026-24746 WRITEUP MEDIUM WRITEUP
InvoicePlane 1.7.0 - Authenticated Stored Cross-Site Scripting via Quote Number Parameter
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability occurs in the Edit Quotes functions of InvoicePlane version 1.7.0. In the Editing Quotes function, the application does not validate user input at the quote_number parameter. Although administrator privileges are required to exploit it, this is still considered a critical vulnerability as it can cause actions such as unauthorized modification of application data, creation of persistent backdoors through stored malicious scripts, and full compromise of the application's integrity. Version 1.7.1 patches the issue.
CVSS 5.7
CVE-2026-24745 WRITEUP MEDIUM WRITEUP
InvoicePlane 1.7.0 - Authenticated Stored Cross-Site Scripting via SVG Logo Upload
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability occurs in the upload Login Logo functions of InvoicePlane version 1.7.0. In the Upload Login Logo, the application allows uploading svg files. Although administrator privileges are required to exploit it, this is still considered a critical vulnerability as it can cause actions such as unauthorized modification of application data, creation of persistent backdoors through stored malicious scripts, and full compromise of the application's integrity. Version 1.7.1 patches the issue.
CVSS 5.7
CVE-2026-25548 WRITEUP CRITICAL WRITEUP
InvoicePlane 1.7.0 - RCE via LFI & Log Poisoning
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A critical Remote Code Execution (RCE) vulnerability exists in InvoicePlane 1.7.0 through a chained Local File Inclusion (LFI) and Log Poisoning attack. An authenticated administrator can execute arbitrary system commands on the server by manipulating the `public_invoice_template` setting to include poisoned log files containing PHP code. Version 1.7.1 patches the issue.
CVSS 9.1
CVE-2026-25594 WRITEUP MEDIUM WRITEUP
InvoicePlane < 1.7.1 - Stored Cross-Site Scripting via Family Name Field
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability exists in InvoicePlane 1.7.0 via the Family Name field. The `family_name` value is rendered without HTML encoding inside the family dropdown on the product form. When an administrator creates a family with a malicious name, the payload executes in the browser of any administrator who visits the product form. Version 1.7.1 patches the issue.
CVSS 4.8
CVE-2026-25595 WRITEUP MEDIUM WRITEUP
InvoicePlane < 1.7.1 - Authenticated Stored Cross-Site Scripting via Invoice Number Field
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability exists in InvoicePlane 1.7.0 via the Invoice Number field. An authenticated administrator can inject malicious JavaScript that executes when any administrator views the affected invoice or visits the dashboard. Version 1.7.1 patches the issue.
CVSS 4.8
CVE-2026-25596 WRITEUP MEDIUM WRITEUP
InvoicePlane < 1.7.1 - Authenticated Stored Cross-Site Scripting via Product Unit Name Field
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability exists in InvoicePlane 1.7.0 via the Product Unit Name fields. An authenticated administrator can inject malicious JavaScript that executes when any administrator views an invoice containing a product with the malicious unit. Version 1.7.1 patches the issue.
CVSS 4.8
CVE-2026-26270 WRITEUP MEDIUM WRITEUP
InvoicePlane - Authenticated Stored Cross-Site Scripting via Invoice Group Identifier Format Field
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability exists in InvoicePlane (latest version) that allows an authenticated user with permissions to manage Invoice Groups to inject malicious JavaScript into the "Identifier Format" field. This script executes when any user views the invoice list or the main dashboard. Version 1.7.1 patches the issue.
CVSS 5.4
CVE-2026-26281 WRITEUP MEDIUM WRITEUP
InvoicePlane - Authenticated Stored Cross-Site Scripting in Sumex Invoice View
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A stored cross-site scripting (XSS) vulnerability in the Sumex invoice view allows an authenticated user with client and invoice management privileges to execute arbitrary JavaScript in the browser of any user viewing the invoice. This can lead to session hijacking, data theft, or other malicious actions on behalf of the victim user. Version 1.7.1 patches the issue.
CVSS 4.4
CVE-2025-64012 WRITEUP MEDIUM WRITEUP
InvoicePlane invoices/view - Insecure Direct Object Reference
InvoicePlane commit debb446c is vulnerable to Incorrect Access Control. The invoices/view handler fails to verify ownership before returning invoice data.
CVSS 4.3