CVE-2026-25548

CRITICAL

InvoicePlane 1.7.0 - RCE via LFI & Log Poisoning

Title source: llm

Description

InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A critical Remote Code Execution (RCE) vulnerability exists in InvoicePlane 1.7.0 through a chained Local File Inclusion (LFI) and Log Poisoning attack. An authenticated administrator can execute arbitrary system commands on the server by manipulating the `public_invoice_template` setting to include poisoned log files containing PHP code. Version 1.7.1 patches the issue.

Exploits (1)

nomisec WRITEUP
by lagathos · poc
https://github.com/lagathos/CVE-2026-25548

References (2)

Scores

CVSS v3 9.1
EPSS 0.0019
EPSS Percentile 41.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Details

CWE
CWE-94 CWE-98 CWE-117
Status published
Products (1)
invoiceplane/invoiceplane < 1.7.1
Published Feb 18, 2026
Tracked Since Feb 19, 2026