Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.1
InvoicePlane 1.7.0 allows hackers to execute malicious code on your server
CVE-2026-25548
Summary
InvoicePlane users should update to version 1.7.1 to prevent an attacker with administrator access from taking control of your server and executing malicious code. By updating, you'll ensure the security of your financial data and prevent potential unauthorized access. If you haven't already, update InvoicePlane to the latest patched version as soon as possible.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| invoiceplane | invoiceplane | <= 1.7.1 | – |
Original title
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A critical Remote Code Execution (RCE) vulnerability exists in InvoicePlane 1.7.0 through a chain...
Original description
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A critical Remote Code Execution (RCE) vulnerability exists in InvoicePlane 1.7.0 through a chained Local File Inclusion (LFI) and Log Poisoning attack. An authenticated administrator can execute arbitrary system commands on the server by manipulating the `public_invoice_template` setting to include poisoned log files containing PHP code. Version 1.7.1 patches the issue.
nvd CVSS3.1
9.1
Vulnerability type
CWE-94
Code Injection
CWE-98
Improper Control of Filename for Include
CWE-117
Published: 18 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026