CVE-2026-26270
📋 TL;DR
A stored cross-site scripting (XSS) vulnerability in InvoicePlane allows authenticated users with Invoice Groups management permissions to inject malicious JavaScript into the 'Identifier Format' field. This script executes when any user views the invoice list or main dashboard, potentially compromising user sessions or stealing sensitive data. All users running vulnerable versions of InvoicePlane are affected.
💻 Affected Systems
- InvoicePlane
📦 What is this software?
Invoiceplane by Invoiceplane
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, hijack user sessions, redirect users to malicious sites, or perform actions on behalf of authenticated users, potentially leading to full system compromise.
Likely Case
Session hijacking, credential theft, or defacement of the application interface through malicious script execution.
If Mitigated
Limited impact with proper input validation and output encoding, though some user interface disruption may still occur.
🎯 Exploit Status
Exploitation requires authenticated access with specific permissions but is technically simple once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.7.1
Vendor Advisory: https://github.com/InvoicePlane/InvoicePlane/security/advisories/GHSA-432m-jv69-qp5j
Restart Required: No
Instructions:
1. Backup your InvoicePlane installation and database. 2. Download version 1.7.1 from the official repository. 3. Replace all files with the new version. 4. Verify the patch is applied by checking the version in the dashboard.
🔧 Temporary Workarounds
Restrict Invoice Groups Management Permissions
allLimit 'manage_invoice_groups' permissions to only trusted administrators to reduce attack surface.
Input Validation Filter
allImplement server-side input validation to sanitize the 'Identifier Format' field before storage.
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to prevent script execution from untrusted sources.
- Monitor and audit user accounts with 'manage_invoice_groups' permissions for suspicious activity.
🔍 How to Verify
Check if Vulnerable:
Check if your InvoicePlane version is below 1.7.1 by logging into the dashboard and viewing the version in the footer or settings.Check Version:
Check the footer of the InvoicePlane dashboard or navigate to System Settings > General to view the version.Verify Fix Applied:
After updating to 1.7.1, verify the version displays correctly and test that script tags in the 'Identifier Format' field are properly sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual modifications to invoice groups, especially with script tags or JavaScript in the identifier field
- Multiple failed login attempts followed by successful access to invoice group management
Network Indicators:
- Unexpected outbound connections from the InvoicePlane server after viewing invoice lists
SIEM Query:
source="invoiceplane_logs" AND (message="*<script>*" OR message="*javascript:*")