← volver
CVE-2026-25595

InvoicePlane has Stored XSS via Invoice Number in Invoice View and Dashboard

CVSS 4.8 MEDIUMEPSS 0.2%CWE-79
Vexday Risk Score
13Bajo
Decisión SSVC (CISA)
Track
Sin señal de explotación → monitorear
CVSS 4.8EPSS 0.2%KEV nãoPoC Nuclei Metasploit Patch
Ciclo de vida
18 feb 2026Publicada en NVD
Recomendación: Monitorear — sin señal de explotación por ahora.
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability exists in InvoicePlane 1.7.0 via the Invoice Number field. An authenticated administrator can inject malicious JavaScript that executes when any administrator views the affected invoice or visits the dashboard. Version 1.7.1 patches the issue.
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Productos afectados
InvoicePlane · InvoicePlane

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →
Referencias
https://github.com/InvoicePlane/InvoicePlane/commit/93622f2df88a860d89bfee56012cabb2942061d6https://github.com/InvoicePlane/InvoicePlane/security/advisories/GHSA-xxvr-2564-6jg6