CVE-2026-24745 – InvoicePlane 1.7.0 contains a stored XSS vulner... (How to Fix)

Q: What is the severity of CVE-2026-24745?

CVE-2026-24745 has a CVSS score of 5.7 (MEDIUM). InvoicePlane 1.7.0 contains a stored XSS vulnerability in the Login Logo upload function that accepts SVG files. An authenticated administrator can upload malicious SVG files that execute JavaScript when viewed, potentially compromising the application. This affects all InvoicePlane 1.7.0 installations.

📋 TL;DR

InvoicePlane 1.7.0 contains a stored XSS vulnerability in the Login Logo upload function that accepts SVG files. An authenticated administrator can upload malicious SVG files that execute JavaScript when viewed, potentially compromising the application. This affects all InvoicePlane 1.7.0 installations.

💻 Affected Systems

Products:

InvoicePlane

Versions: Version 1.7.0 only

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires administrator privileges to exploit. SVG file upload functionality must be accessible.

📦 What is this software?

Invoiceplane by Invoiceplane

View all CVEs affecting Invoiceplane →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full application compromise through persistent malicious scripts, data theft/modification, account takeover, and backdoor creation.

🟠

Likely Case

Unauthorized data modification, session hijacking, and privilege escalation within the application.

🟢

If Mitigated

Limited impact due to administrator-only access requirement and proper input validation.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires administrator access. SVG files with embedded JavaScript can be uploaded and executed when viewed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.7.1

Vendor Advisory: https://github.com/InvoicePlane/InvoicePlane/security/advisories/GHSA-r9rq-f946-6x54

Restart Required: No

Instructions:

1. Backup your InvoicePlane installation and database. 2. Download InvoicePlane 1.7.1 from the official repository. 3. Replace all files with the 1.7.1 version. 4. Run database migrations if required. 5. Verify the fix by checking the version.

🔧 Temporary Workarounds

Disable SVG uploads

all

Modify application configuration to block SVG file uploads in the Login Logo function.

Edit application configuration to restrict file uploads to non-SVG formats

Restrict administrator access

all

Limit administrator accounts and implement strong authentication controls.

🧯 If You Can't Patch

Disable the Login Logo upload functionality completely
Implement web application firewall rules to block malicious SVG content

🔍 How to Verify

Check if Vulnerable:

Check if running InvoicePlane version 1.7.0 by viewing the version in the application footer or configuration files.

Check Version:

Check application footer or config.php for version information

Verify Fix Applied:

Confirm installation of version 1.7.1 and verify SVG uploads are properly sanitized or blocked.

📡 Detection & Monitoring

Log Indicators:

Unusual SVG file uploads to login logo endpoint
Administrator account activity during off-hours

Network Indicators:

HTTP POST requests to upload endpoints with SVG content
Unexpected JavaScript execution in application responses

SIEM Query:

source="invoiceplane" AND (url_path="/upload/login_logo" OR file_extension="svg")

📊 Metadata

CVE ID: CVE-2026-24745

CVSS v3 Score: 5.7 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:H/A:L

CWE: CWE-79

Published: February 18, 2026

Last Updated: February 20, 2026

🔗 References

https://github.com/InvoicePlane/InvoicePlane/commit/93622f2df88a860d89bfee56012cabb2942061d6 Patch
https://github.com/InvoicePlane/InvoicePlane/security/advisories/GHSA-r9rq-f946-6x54 Exploit,Mitigation,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-24745, you might also want to check these: