CVE-2026-25595

MEDIUM

InvoicePlane 1.7.0 - Stored XSS

Title source: llm

Description

InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability exists in InvoicePlane 1.7.0 via the Invoice Number field. An authenticated administrator can inject malicious JavaScript that executes when any administrator views the affected invoice or visits the dashboard. Version 1.7.1 patches the issue.

Exploits (2)

github WRITEUP 10 stars

by XiaomingX · pythonpoc

https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2026/CVE-2026-25595

View Code ZIP pw:eip

nomisec WRITEUP

by lagathos · poc

https://github.com/lagathos/CVE-2026-25595

View Code ZIP pw:eip

References (2)

[Patch] https://github.com/InvoicePlane/InvoicePlane/commit/93622f2df88a860d89bfee56012cabb2942061d6

View Patch ZIP pw:eip

[Vendor Advisory] https://github.com/InvoicePlane/InvoicePlane/security/advisories/GHSA-xxvr-2564-6jg6

Scores

CVSS v3 4.8

EPSS 0.0001

EPSS Percentile 2.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (1)

invoiceplane/invoiceplane < 1.7.1

Published Feb 18, 2026

Tracked Since Feb 19, 2026