Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.5
InvoicePlane: Malicious Scripts Can Modify Application Data
CVE-2026-24746
Summary
InvoicePlane's self-hosted application for managing invoices has a security flaw that allows an attacker with administrator access to inject malicious scripts. This could lead to unauthorized changes to application data or even complete takeover of the application. To fix this, update to version 1.7.1.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| invoiceplane | invoiceplane | 1.7.0 | – |
Original title
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability occurs in the Edit Quotes functions of InvoiceP...
Original description
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability occurs in the Edit Quotes functions of InvoicePlane version 1.7.0. In the Editing Quotes function, the application does not validate user input at the quote_number parameter. Although administrator privileges are required to exploit it, this is still considered a critical vulnerability as it can cause actions such as unauthorized modification of application data, creation of persistent backdoors through stored malicious scripts, and full compromise of the application's integrity. Version 1.7.1 patches the issue.
nvd CVSS3.1
7.5
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
- https://github.com/InvoicePlane/InvoicePlane/commit/93622f2df88a860d89bfee56012c... Patch
- https://github.com/InvoicePlane/InvoicePlane/security/advisories/GHSA-73x8-gr6v-... Exploit Mitigation Vendor Advisory
Published: 18 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026