Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.5
InvoicePlane: Unsecured Logo Upload Allows Malicious Actions
CVE-2026-24745
Summary
InvoicePlane's logo upload feature in version 1.7.0 allows attackers to inject malicious code, potentially leading to unauthorized data changes, creation of backdoors, and full system compromise. To protect your data, update to version 1.7.1, which fixes this issue. If you can't update immediately, limit access to the logo upload feature to prevent potential exploitation.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| invoiceplane | invoiceplane | 1.7.0 | – |
Original title
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability occurs in the upload Login Logo functions of In...
Original description
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability occurs in the upload Login Logo functions of InvoicePlane version 1.7.0. In the Upload Login Logo, the application allows uploading svg files. Although administrator privileges are required to exploit it, this is still considered a critical vulnerability as it can cause actions such as unauthorized modification of application data, creation of persistent backdoors through stored malicious scripts, and full compromise of the application's integrity. Version 1.7.1 patches the issue.
nvd CVSS3.1
7.5
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
- https://github.com/InvoicePlane/InvoicePlane/commit/93622f2df88a860d89bfee56012c... Patch
- https://github.com/InvoicePlane/InvoicePlane/security/advisories/GHSA-r9rq-f946-... Exploit Mitigation Vendor Advisory
Published: 18 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026