Invoiceplane
by Invoiceplane
Source repositories
CVEs (29)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2017-1000238 | Hig | 0.57 | 8.8 | 0.01 | Nov 17, 2017 | InvoicePlane version 1.4.10 is vulnerable to a Arbitrary File Upload resulting in an authenticated user can upload a malicious file to the webserver. It is possible for an attacker to upload a script which is able to compromise the webserver. | ||
| CVE-2018-12255 | Med | 0.40 | 6.1 | 0.01 | Jul 3, 2018 | An XSS issue was discovered in InvoicePlane 1.5.10 via the "Quote PDF Password(Optional)" field. | ||
| CVE-2017-1000239 | Med | 0.35 | 5.4 | 0.00 | Nov 17, 2017 | InvoicePlane version 1.4.10 is vulnerable to a Stored Cross Site Scripting resulting in allowing an authenticated user to inject malicious client side script which will be executed in the browser of users if they visit the manipulated site. | ||
| CVE-2026-26281 | 0.00 | — | 0.00 | Feb 18, 2026 | InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A stored cross-site scripting (XSS) vulnerability in the Sumex invoice view allows an authenticated user with client and invoice management privileges to execute arbitrary… | |||
| CVE-2026-26270 | 0.00 | — | 0.00 | Feb 18, 2026 | InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability exists in InvoicePlane (latest version) that allows an authenticated user with permissions to manage Invoice Groups to inject… | |||
| CVE-2026-25596 | 0.00 | — | 0.00 | Feb 18, 2026 | InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability exists in InvoicePlane 1.7.0 via the Product Unit Name fields. An authenticated administrator can inject malicious JavaScript… | |||
| CVE-2026-25595 | 0.00 | — | 0.00 | Feb 18, 2026 | InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability exists in InvoicePlane 1.7.0 via the Invoice Number field. An authenticated administrator can inject malicious JavaScript that… | |||
| CVE-2026-25594 | 0.00 | — | 0.00 | Feb 18, 2026 | InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability exists in InvoicePlane 1.7.0 via the Family Name field. The `family_name` value is rendered without HTML encoding inside the… | |||
| CVE-2026-25548 | 0.00 | — | 0.01 | Feb 18, 2026 | InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A critical Remote Code Execution (RCE) vulnerability exists in InvoicePlane 1.7.0 through a chained Local File Inclusion (LFI) and Log Poisoning attack. An authenticated… | |||
| CVE-2026-24745 | 0.00 | — | 0.00 | Feb 18, 2026 | InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability occurs in the upload Login Logo functions of InvoicePlane version 1.7.0. In the Upload Login Logo, the application allows… | |||
| CVE-2026-24744 | 0.00 | — | 0.00 | Feb 18, 2026 | InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability occurs in the Edit Invoices functions of InvoicePlane version 1.7.0. When editing invoices, the application does not validate… | |||
| CVE-2026-24743 | 0.00 | — | 0.00 | Feb 18, 2026 | InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability occurs in the upload Invoice Logo functions of InvoicePlane version 1.7.0. The Upload Invoice Logo function allows the… | |||
| CVE-2026-24746 | 0.00 | — | 0.00 | Feb 18, 2026 | InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability occurs in the Edit Quotes functions of InvoicePlane version 1.7.0. In the Editing Quotes function, the application does not… | |||
| CVE-2026-23491 | 0.00 | — | 0.01 | Feb 18, 2026 | InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A path traversal vulnerability exists in the `get_file` method of the `Guest` module's `Get` controller in InvoicePlane up to and including through 1.6.3. The vulnerability allows… | |||
| CVE-2025-67083 | 0.00 | — | 0.01 | Jan 15, 2026 | Directory traversal vulnerability in InvoicePlane through 1.6.3 allows unauthenticated attackers to read files from the server. The ability to read files and the file type depends on the web server and its configuration. | |||
| CVE-2025-67084 | 0.00 | — | 0.00 | Jan 15, 2026 | File upload vulnerability in InvoicePlane through 1.6.3 allows authenticated attackers to upload arbitrary PHP files into attachments, which can later be executed remotely, leading to Remote Code Execution (RCE). | |||
| CVE-2025-67082 | 0.00 | — | 0.00 | Jan 15, 2026 | An SQL injection vulnerability in InvoicePlane through 1.6.3 has been identified in "maxQuantity" and "minQuantity" parameters when generating a report. An authenticated attacker can exploit this issue via error-based SQL injection, allowing for the extraction of arbitrary data… | |||
| CVE-2025-64012 | 0.00 | — | 0.00 | Dec 16, 2025 | InvoicePlane commit debb446c is vulnerable to Incorrect Access Control. The invoices/view handler fails to verify ownership before returning invoice data. | |||
| CVE-2024-56975 | 0.00 | — | 0.01 | Mar 28, 2025 | InvoicePlane (all versions tested as of December 2024) v.1.6.11 and before contains a remote code execution vulnerability in the upload_file method of the Upload controller. | |||
| CVE-2024-12667 | 0.00 | — | 0.01 | Dec 16, 2024 | A vulnerability was found in InvoicePlane up to 1.6.1 and classified as problematic. Affected by this issue is some unknown functionality of the file /invoices/view. The manipulation leads to session expiration. The attack may be launched remotely. The complexity of an attack is… |
- risk 0.57cvss 8.8epss 0.01
InvoicePlane version 1.4.10 is vulnerable to a Arbitrary File Upload resulting in an authenticated user can upload a malicious file to the webserver. It is possible for an attacker to upload a script which is able to compromise the webserver.
- risk 0.40cvss 6.1epss 0.01
An XSS issue was discovered in InvoicePlane 1.5.10 via the "Quote PDF Password(Optional)" field.
- risk 0.35cvss 5.4epss 0.00
InvoicePlane version 1.4.10 is vulnerable to a Stored Cross Site Scripting resulting in allowing an authenticated user to inject malicious client side script which will be executed in the browser of users if they visit the manipulated site.
- CVE-2026-26281Feb 18, 2026risk 0.00cvss —epss 0.00
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A stored cross-site scripting (XSS) vulnerability in the Sumex invoice view allows an authenticated user with client and invoice management privileges to execute arbitrary…
- CVE-2026-26270Feb 18, 2026risk 0.00cvss —epss 0.00
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability exists in InvoicePlane (latest version) that allows an authenticated user with permissions to manage Invoice Groups to inject…
- CVE-2026-25596Feb 18, 2026risk 0.00cvss —epss 0.00
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability exists in InvoicePlane 1.7.0 via the Product Unit Name fields. An authenticated administrator can inject malicious JavaScript…
- CVE-2026-25595Feb 18, 2026risk 0.00cvss —epss 0.00
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability exists in InvoicePlane 1.7.0 via the Invoice Number field. An authenticated administrator can inject malicious JavaScript that…
- CVE-2026-25594Feb 18, 2026risk 0.00cvss —epss 0.00
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability exists in InvoicePlane 1.7.0 via the Family Name field. The `family_name` value is rendered without HTML encoding inside the…
- CVE-2026-25548Feb 18, 2026risk 0.00cvss —epss 0.01
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A critical Remote Code Execution (RCE) vulnerability exists in InvoicePlane 1.7.0 through a chained Local File Inclusion (LFI) and Log Poisoning attack. An authenticated…
- CVE-2026-24745Feb 18, 2026risk 0.00cvss —epss 0.00
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability occurs in the upload Login Logo functions of InvoicePlane version 1.7.0. In the Upload Login Logo, the application allows…
- CVE-2026-24744Feb 18, 2026risk 0.00cvss —epss 0.00
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability occurs in the Edit Invoices functions of InvoicePlane version 1.7.0. When editing invoices, the application does not validate…
- CVE-2026-24743Feb 18, 2026risk 0.00cvss —epss 0.00
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability occurs in the upload Invoice Logo functions of InvoicePlane version 1.7.0. The Upload Invoice Logo function allows the…
- CVE-2026-24746Feb 18, 2026risk 0.00cvss —epss 0.00
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability occurs in the Edit Quotes functions of InvoicePlane version 1.7.0. In the Editing Quotes function, the application does not…
- CVE-2026-23491Feb 18, 2026risk 0.00cvss —epss 0.01
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A path traversal vulnerability exists in the `get_file` method of the `Guest` module's `Get` controller in InvoicePlane up to and including through 1.6.3. The vulnerability allows…
- CVE-2025-67083Jan 15, 2026risk 0.00cvss —epss 0.01
Directory traversal vulnerability in InvoicePlane through 1.6.3 allows unauthenticated attackers to read files from the server. The ability to read files and the file type depends on the web server and its configuration.
- CVE-2025-67084Jan 15, 2026risk 0.00cvss —epss 0.00
File upload vulnerability in InvoicePlane through 1.6.3 allows authenticated attackers to upload arbitrary PHP files into attachments, which can later be executed remotely, leading to Remote Code Execution (RCE).
- CVE-2025-67082Jan 15, 2026risk 0.00cvss —epss 0.00
An SQL injection vulnerability in InvoicePlane through 1.6.3 has been identified in "maxQuantity" and "minQuantity" parameters when generating a report. An authenticated attacker can exploit this issue via error-based SQL injection, allowing for the extraction of arbitrary data…
- CVE-2025-64012Dec 16, 2025risk 0.00cvss —epss 0.00
InvoicePlane commit debb446c is vulnerable to Incorrect Access Control. The invoices/view handler fails to verify ownership before returning invoice data.
- CVE-2024-56975Mar 28, 2025risk 0.00cvss —epss 0.01
InvoicePlane (all versions tested as of December 2024) v.1.6.11 and before contains a remote code execution vulnerability in the upload_file method of the Upload controller.
- CVE-2024-12667Dec 16, 2024risk 0.00cvss —epss 0.01
A vulnerability was found in InvoicePlane up to 1.6.1 and classified as problematic. Affected by this issue is some unknown functionality of the file /invoices/view. The manipulation leads to session expiration. The attack may be launched remotely. The complexity of an attack is…
Page 1 of 2