21 matches found
Exploit for Cross-site Scripting in Invoiceplane
CVE-2026-25594 — Stored XSS via Family Name in InvoicePlane 1...
CVE-2026-25595
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting XSS vulnerability exists in InvoicePlane 1.7.0 via the Invoice Number field. An authenticated administrator can inject malicious JavaScript that executes when any...
CVE-2026-26270
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting XSS vulnerability exists in InvoicePlane latest version that allows an authenticated user with permissions to manage Invoice Groups to inject malicious JavaScript into...
CVE-2026-24746
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting XSS vulnerability occurs in the Edit Quotes functions of InvoicePlane version 1.7.0. In the Editing Quotes function, the application does not validate user input at th...
CVE-2026-25596
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting XSS vulnerability exists in InvoicePlane 1.7.0 via the Product Unit Name fields. An authenticated administrator can inject malicious JavaScript that executes when any...
CVE-2026-24744 InvoicePlane has a Stored Cross-Site Scripting (XSS) issue
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting XSS vulnerability occurs in the Edit Invoices functions of InvoicePlane version 1.7.0. When editing invoices, the application does not validate user input at the...
CVE-2026-24743 InvoicePlane has a Stored Cross-Site Scripting (XSS) issue
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting XSS vulnerability occurs in the upload Invoice Logo functions of InvoicePlane version 1.7.0. The Upload Invoice Logo function allows the application to upload svg file...
CVE-2026-23491 InvoicePlane has Unauthenticated Path Traversal in Guest Controller
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A path traversal vulnerability exists in the getfile method of the Guest module's Get controller in InvoicePlane up to and including through 1.6.3. The vulnerability allows unauthenticated attacker...
CVE-2025-67083
Directory traversal vulnerability in InvoicePlane through 1.6.3 allows unauthenticated attackers to read files from the server. The ability to read files and the file type depends on the web server and its configuration...
CVE-2025-67083
Directory traversal vulnerability in InvoicePlane through 1.6.3 allows unauthenticated attackers to read files from the server. The ability to read files and the file type depends on the web server and its configuration...
EUVD-2026-2784
An SQL injection vulnerability in InvoicePlane through 1.6.3 has been identified in "maxQuantity" and "minQuantity" parameters when generating a report. An authenticated attacker can exploit this issue via error-based SQL injection, allowing for the extraction of arbitrary data from the database...
CVE-2025-67082
An SQL injection vulnerability in InvoicePlane through 1.6.3 has been identified in "maxQuantity" and "minQuantity" parameters when generating a report. An authenticated attacker can exploit this issue via error-based SQL injection, allowing for the extraction of arbitrary data from the database...
CVE-2025-67084
The CVE-2025-67084 entry concerns InvoicePlane up to version 1.6.3, where an authenticated file-upload flaw allows uploading arbitrary PHP files into attachments, enabling remote code execution (RCE). Affected component is the file upload handling in attachments; the root cause is not explicitly ...
CVE-2025-64012
InvoicePlane commit debb446c is vulnerable to Incorrect Access Control. The invoices/view handler fails to verify ownership before returning invoice data...
EUVD-2017-1611
Malware in sbrugna...
PT-2024-17611 · Unknown · Invoiceplane
Name of the Vulnerable Software and Affected Versions: InvoicePlane versions up to 1.6.1 Description: A critical vulnerability affects the upload file function of the file "/index.php/upload/upload file/1/1". The manipulation of the file argument leads to unrestricted upload. The attack can be...
CVE-2017-1000508
Invoice Plane version 1.5.4 and earlier contains a Cross Site Scripting XSS vulnerability in Client's details that can result in execution of javascript code . This vulnerability appears to have been fixed in 1.5.5 and later...
Cross site scripting
Invoice Plane version 1.5.4 and earlier contains a Cross Site Scripting XSS vulnerability in Client's details that can result in execution of javascript code . This vulnerability appears to have been fixed in 1.5.5 and later...
CVE-2017-1000508
Invoice Plane version 1.5.4 and earlier contains a Cross Site Scripting XSS vulnerability in Client's details that can result in execution of javascript code . This vulnerability appears to have been fixed in 1.5.5 and later...
CVE-2017-1000508
The CVE-2017-1000508 entry concerns InvoicePlane 1.5.4 and earlier, with a Cross‑Site Scripting (XSS) vulnerability in the Client's details field that can lead to JavaScript execution. Affected component is the web interface handling client details; root cause is unescaped input in the client det...