Unrated severityNVD Advisory· Published Feb 18, 2026· Updated Feb 19, 2026
InvoicePlane has a Stored Cross-Site Scripting (XSS) issue
CVE-2026-24745
Description
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability occurs in the upload Login Logo functions of InvoicePlane version 1.7.0. In the Upload Login Logo, the application allows uploading svg files. Although administrator privileges are required to exploit it, this is still considered a critical vulnerability as it can cause actions such as unauthorized modification of application data, creation of persistent backdoors through stored malicious scripts, and full compromise of the application's integrity. Version 1.7.1 patches the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2= 1.7.0+ 1 more
- (no CPE)range: = 1.7.0
- (no CPE)range: = 1.7.0
Patches
Vulnerability mechanics
References
2- github.com/InvoicePlane/InvoicePlane/commit/93622f2df88a860d89bfee56012cabb2942061d6mitrex_refsource_MISC
- github.com/InvoicePlane/InvoicePlane/security/advisories/GHSA-r9rq-f946-6x54mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.