CVE-2026-25595
📋 TL;DR
A stored cross-site scripting (XSS) vulnerability in InvoicePlane 1.7.0 allows authenticated administrators to inject malicious JavaScript via the Invoice Number field. This script executes when other administrators view affected invoices or visit the dashboard, potentially compromising their sessions. Only InvoicePlane instances with administrator accounts are affected.
💻 Affected Systems
- InvoicePlane
📦 What is this software?
Invoiceplane by Invoiceplane
⚠️ Risk & Real-World Impact
Worst Case
An attacker with administrator credentials could steal session cookies, perform actions as other administrators, redirect users to malicious sites, or install backdoors through client-side attacks.
Likely Case
Privilege escalation within the application, session hijacking of other administrators, or defacement of invoice pages.
If Mitigated
Limited impact if administrators follow principle of least privilege and have separate accounts for different functions.
🎯 Exploit Status
Exploitation requires administrator credentials but is technically simple once authenticated. The vulnerability is in a core feature (invoice management).
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.7.1
Vendor Advisory: https://github.com/InvoicePlane/InvoicePlane/security/advisories/GHSA-xxvr-2564-6jg6
Restart Required: No
Instructions:
1. Backup your InvoicePlane database and files. 2. Download InvoicePlane 1.7.1 from the official repository. 3. Replace all files except /uploads/ and /ipconfig.php. 4. Run the update script if prompted. 5. Verify the update completed successfully.
🔧 Temporary Workarounds
Input Validation Filter
allAdd server-side validation to sanitize invoice number input before storage
Edit application files to add HTML entity encoding for invoice number field
Content Security Policy
allImplement CSP headers to restrict script execution
Add 'Content-Security-Policy: default-src 'self'; script-src 'self'' to web server configuration
🧯 If You Can't Patch
- Restrict administrator account access to trusted personnel only and implement multi-factor authentication
- Monitor administrator activity logs for unusual invoice modifications or JavaScript injection attempts
🔍 How to Verify
Check if Vulnerable:
Check if InvoicePlane version is 1.7.0 by viewing the footer or checking the application version fileCheck Version:
Check the footer of any InvoicePlane page or examine /application/config/version.php fileVerify Fix Applied:
After updating, verify version shows 1.7.1 and test invoice number field with XSS payloads to confirm they are properly sanitized📡 Detection & Monitoring
Log Indicators:
- Unusual invoice modifications by administrators
- JavaScript code in invoice number fields in database logs
- Multiple failed login attempts followed by successful administrator login
Network Indicators:
- Unexpected external connections from InvoicePlane server after invoice viewing
- Suspicious JavaScript payloads in HTTP requests to invoice endpoints
SIEM Query:
source="invoiceplane_logs" AND (event="invoice_update" AND data contains "<script>") OR (event="admin_login" AND result="success" AND src_ip="suspicious_ip")