Unrated severityNVD Advisory· Published Feb 18, 2026· Updated Feb 19, 2026
InvoicePlane has Stored XSS via Invoice Number in Invoice View and Dashboard
CVE-2026-25595
Description
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability exists in InvoicePlane 1.7.0 via the Invoice Number field. An authenticated administrator can inject malicious JavaScript that executes when any administrator views the affected invoice or visits the dashboard. Version 1.7.1 patches the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2<=1.7.0+ 1 more
- (no CPE)range: <=1.7.0
- (no CPE)range: <= 1.7.0
Patches
Vulnerability mechanics
References
2- github.com/InvoicePlane/InvoicePlane/commit/93622f2df88a860d89bfee56012cabb2942061d6mitrex_refsource_MISC
- github.com/InvoicePlane/InvoicePlane/security/advisories/GHSA-xxvr-2564-6jg6mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.