Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
4.4
InvoicePlane: An attacker can hijack user sessions and steal data.
CVE-2026-26281
Summary
A security issue in InvoicePlane lets an authorized user with invoice management access execute malicious code in other users' browsers, potentially stealing their data or taking control of their sessions. To fix this, update to version 1.7.1 or later.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| invoiceplane | invoiceplane | 1.7.0 | – |
Original title
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A stored cross-site scripting (XSS) vulnerability in the Sumex invoice view allows an authenticat...
Original description
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A stored cross-site scripting (XSS) vulnerability in the Sumex invoice view allows an authenticated user with client and invoice management privileges to execute arbitrary JavaScript in the browser of any user viewing the invoice. This can lead to session hijacking, data theft, or other malicious actions on behalf of the victim user. Version 1.7.1 patches the issue.
nvd CVSS3.1
4.4
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
Published: 18 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026