Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.5
InvoicePlane: Hackers can modify invoices and data with malicious code
CVE-2026-24744
Summary
A security issue in InvoicePlane's Edit Invoices function allows hackers to inject malicious code into the application. This could allow them to modify important data, create backdoors, and take control of the application. Update to version 1.7.1 to fix the problem.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| invoiceplane | invoiceplane | 1.7.0 | – |
Original title
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability occurs in the Edit Invoices functions of Invoic...
Original description
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability occurs in the Edit Invoices functions of InvoicePlane version 1.7.0. When editing invoices, the application does not validate user input at the `invoice_number` parameter. Although administrator privileges are required to exploit it, this is still considered a critical vulnerability as it can cause actions such as unauthorized modification of application data, creation of persistent backdoors through stored malicious scripts, and full compromise of the application's integrity. Version 1.7.1 patches the issue.
nvd CVSS3.1
7.5
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
- https://github.com/InvoicePlane/InvoicePlane/commit/93622f2df88a860d89bfee56012c... Patch
- https://github.com/InvoicePlane/InvoicePlane/security/advisories/GHSA-5mxx-553h-... Exploit Mitigation Vendor Advisory
Published: 18 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026