CVE-2026-26270 InvoicePlane has Stored Cross-Site Scripting Issue in Identifier Formatting

InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting XSS vulnerability exists in InvoicePlane latest version that allows an authenticated user with permissions to manage Invoice Groups to inject malicious JavaScript into...

CVE-2026-26270 InvoicePlane has Stored Cross-Site Scripting Issue in Identifier Formatting

InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting XSS vulnerability exists in InvoicePlane latest version that allows an authenticated user with permissions to manage Invoice Groups to inject malicious JavaScript into...

CVE-2026-26270

CVE-2026-26270 affects InvoicePlane. A Stored XSS exists in the Identifier Format field, exploitable by an authenticated user with Invoice Group management permissions. The malicious script runs when users view the invoice list or the dashboard. A fix is available in Version 1.7.1. If your setup ...

PT-2026-20554

Name of the Vulnerable Software and Affected Versions InvoicePlane versions prior to 1.7.1 Description InvoicePlane is an open source application used for managing invoices, clients, and payments. A Stored Cross-Site Scripting XSS issue exists that allows an authenticated user with the necessary...