229 matches found
📄 InvoicePlane 1.6.3 Path Traversal
InvoicePlane versions 1.6.3 and below suffer from a path traversal vulnerability in the getfile method of the Guest module. CVE-2026-23491: InvoicePlane has Unauthenticated Path Traversal in Guest Controller Overview | Field | Details | |---|---| | CVE ID | CVE-2026-23491 | | Severity | CRITICAL ...
Exploit for Cross-site Scripting in Invoiceplane
CVE-2026-25596 — Stored XSS via Product Unit Name in InvoicePl...
Exploit for Cross-site Scripting in Invoiceplane
CVE-2026-25595 — Stored XSS via Invoice Number in InvoicePlane...
Exploit for Code Injection in Invoiceplane
CVE-2026-25548 — Remote Code Execution in InvoicePlane 1.7.0...
CVE-2026-25596
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting XSS vulnerability exists in InvoicePlane 1.7.0 via the Product Unit Name fields. An authenticated administrator can inject malicious JavaScript that executes when any...
CVE-2026-25594
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting XSS vulnerability exists in InvoicePlane 1.7.0 via the Family Name field. The familyname value is rendered without HTML encoding inside the family dropdown on the...
CVE-2026-24744
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting XSS vulnerability occurs in the Edit Invoices functions of InvoicePlane version 1.7.0. When editing invoices, the application does not validate user input at the...
CVE-2026-24743
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting XSS vulnerability occurs in the upload Invoice Logo functions of InvoicePlane version 1.7.0. The Upload Invoice Logo function allows the application to upload svg file...
CVE-2026-24745
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting XSS vulnerability occurs in the upload Login Logo functions of InvoicePlane version 1.7.0. In the Upload Login Logo, the application allows uploading svg files. Althou...
CVE-2026-25548
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A critical Remote Code Execution RCE vulnerability exists in InvoicePlane 1.7.0 through a chained Local File Inclusion LFI and Log Poisoning attack. An authenticated administrator can execute...
CVE-2026-23491
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A path traversal vulnerability exists in the getfile method of the Guest module's Get controller in InvoicePlane up to and including through 1.6.3. The vulnerability allows unauthenticated attacker...
CVE-2026-26270
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting XSS vulnerability exists in InvoicePlane latest version that allows an authenticated user with permissions to manage Invoice Groups to inject malicious JavaScript into...
CVE-2026-26281
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A stored cross-site scripting XSS vulnerability in the Sumex invoice view allows an authenticated user with client and invoice management privileges to execute arbitrary JavaScript in the browser o...
CVE-2026-24745
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting XSS vulnerability occurs in the upload Login Logo functions of InvoicePlane version 1.7.0. In the Upload Login Logo, the application allows uploading svg files. Althou...
CVE-2026-25548
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A critical Remote Code Execution RCE vulnerability exists in InvoicePlane 1.7.0 through a chained Local File Inclusion LFI and Log Poisoning attack. An authenticated administrator can execute...
CVE-2026-25594
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting XSS vulnerability exists in InvoicePlane 1.7.0 via the Family Name field. The familyname value is rendered without HTML encoding inside the family dropdown on the...
CVE-2026-25595
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting XSS vulnerability exists in InvoicePlane 1.7.0 via the Invoice Number field. An authenticated administrator can inject malicious JavaScript that executes when any...
CVE-2026-26281
InvoicePlane has a stored XSS in the Sumex invoice view. An authenticated user with client/invoice management privileges can inject JavaScript that runs in other users’ browsers viewing the invoice, potentially enabling session hijacking and data theft. A fixed version is 1.7.1. Remediate by upgr...
CVE-2026-26270
CVE-2026-26270 affects InvoicePlane. A Stored XSS exists in the Identifier Format field, exploitable by an authenticated user with Invoice Group management permissions. The malicious script runs when users view the invoice list or the dashboard. A fix is available in Version 1.7.1. If your setup ...
CVE-2026-26270 InvoicePlane has Stored Cross-Site Scripting Issue in Identifier Formatting
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting XSS vulnerability exists in InvoicePlane latest version that allows an authenticated user with permissions to manage Invoice Groups to inject malicious JavaScript into...