229 matches found
📄 InvoicePlane 1.6.3 Path Traversal
InvoicePlane versions 1.6.3 and below suffer from a path traversal vulnerability in the getfile method of the Guest module. CVE-2026-23491: InvoicePlane has Unauthenticated Path Traversal in Guest Controller Overview | Field | Details | |---|---| | CVE ID | CVE-2026-23491 | | Severity | CRITICAL ...
Exploit for Cross-site Scripting in Invoiceplane
CVE-2026-25596 — Stored XSS via Product Unit Name in InvoicePl...
Exploit for Cross-site Scripting in Invoiceplane
CVE-2026-25595 — Stored XSS via Invoice Number in InvoicePlane...
Exploit for Code Injection in Invoiceplane
CVE-2026-25548 — Remote Code Execution in InvoicePlane 1.7.0...
CVE-2026-25596
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting XSS vulnerability exists in InvoicePlane 1.7.0 via the Product Unit Name fields. An authenticated administrator can inject malicious JavaScript that executes when any...
CVE-2026-24744
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting XSS vulnerability occurs in the Edit Invoices functions of InvoicePlane version 1.7.0. When editing invoices, the application does not validate user input at the...
CVE-2026-25594
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting XSS vulnerability exists in InvoicePlane 1.7.0 via the Family Name field. The familyname value is rendered without HTML encoding inside the family dropdown on the...
CVE-2026-24743
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting XSS vulnerability occurs in the upload Invoice Logo functions of InvoicePlane version 1.7.0. The Upload Invoice Logo function allows the application to upload svg file...
CVE-2026-24745
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting XSS vulnerability occurs in the upload Login Logo functions of InvoicePlane version 1.7.0. In the Upload Login Logo, the application allows uploading svg files. Althou...
CVE-2026-25548
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A critical Remote Code Execution RCE vulnerability exists in InvoicePlane 1.7.0 through a chained Local File Inclusion LFI and Log Poisoning attack. An authenticated administrator can execute...
CVE-2026-23491
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A path traversal vulnerability exists in the getfile method of the Guest module's Get controller in InvoicePlane up to and including through 1.6.3. The vulnerability allows unauthenticated attacker...
CVE-2026-26270
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting XSS vulnerability exists in InvoicePlane latest version that allows an authenticated user with permissions to manage Invoice Groups to inject malicious JavaScript into...
CVE-2026-26281
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A stored cross-site scripting XSS vulnerability in the Sumex invoice view allows an authenticated user with client and invoice management privileges to execute arbitrary JavaScript in the browser o...
CVE-2026-25548
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A critical Remote Code Execution RCE vulnerability exists in InvoicePlane 1.7.0 through a chained Local File Inclusion LFI and Log Poisoning attack. An authenticated administrator can execute...
CVE-2026-25594
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting XSS vulnerability exists in InvoicePlane 1.7.0 via the Family Name field. The familyname value is rendered without HTML encoding inside the family dropdown on the...
CVE-2026-25595
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting XSS vulnerability exists in InvoicePlane 1.7.0 via the Invoice Number field. An authenticated administrator can inject malicious JavaScript that executes when any...
CVE-2026-24745
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting XSS vulnerability occurs in the upload Login Logo functions of InvoicePlane version 1.7.0. In the Upload Login Logo, the application allows uploading svg files. Althou...
CVE-2026-26281
InvoicePlane has a stored XSS in the Sumex invoice view. An authenticated user with client/invoice management privileges can inject JavaScript that runs in other users’ browsers viewing the invoice, potentially enabling session hijacking and data theft. A fixed version is 1.7.1. Remediate by upgr...
CVE-2026-26270 InvoicePlane has Stored Cross-Site Scripting Issue in Identifier Formatting
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting XSS vulnerability exists in InvoicePlane latest version that allows an authenticated user with permissions to manage Invoice Groups to inject malicious JavaScript into...
CVE-2026-26270 InvoicePlane has Stored Cross-Site Scripting Issue in Identifier Formatting
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting XSS vulnerability exists in InvoicePlane latest version that allows an authenticated user with permissions to manage Invoice Groups to inject malicious JavaScript into...