📦 Invoiceplane

InvoicePlane 1.7.0 contains a critical Remote Code Execution vulnerability that allows authenticated administrators to execute arbitrary system commands on the server. Attackers can chain Local File I...

This vulnerability allows authenticated attackers to upload malicious PHP files as attachments in InvoicePlane, which can then be executed remotely to achieve full system compromise. All InvoicePlane ...

CVE-2026-23491 is a path traversal vulnerability in InvoicePlane that allows unauthenticated attackers to read arbitrary files on the server by manipulating filename parameters. This can lead to discl...

CVE-2021-29024 is a directory traversal vulnerability in InvoicePlane that allows unauthenticated attackers to list directories and download files that should be protected. This affects all users runn...

A stored cross-site scripting (XSS) vulnerability in InvoicePlane allows authenticated users with Invoice Groups management permissions to inject malicious JavaScript into the 'Identifier Format' fiel...

InvoicePlane 1.7.0 contains a stored XSS vulnerability in the Login Logo upload function that accepts SVG files. An authenticated administrator can upload malicious SVG files that execute JavaScript w...

A stored cross-site scripting (XSS) vulnerability in InvoicePlane 1.7.0 allows authenticated administrators to inject malicious JavaScript via the Invoice Number field. This script executes when other...

InvoicePlane 1.7.0 contains a stored XSS vulnerability in the Edit Invoices function where the invoice_number parameter lacks input validation. This allows authenticated administrators to inject malic...

InvoicePlane 1.7.0 has a stored XSS vulnerability in the Edit Quotes function where the quote_number parameter lacks input validation. Attackers with administrator access can inject malicious scripts ...

An authenticated SQL injection vulnerability in InvoicePlane allows attackers to extract arbitrary data from the database by manipulating report generation parameters. This affects all InvoicePlane in...

CVE-2025-67083 is a directory traversal vulnerability in InvoicePlane that allows unauthenticated attackers to read arbitrary files from the server. The impact depends on web server configuration and ...

InvoicePlane versions before commit debb446c are vulnerable to an authorization bypass that allows users to view invoices belonging to other accounts. This affects all InvoicePlane installations that ...

This CVE describes a path traversal vulnerability in InvoicePlane's invoices.php file that allows attackers to access arbitrary files on the server by manipulating invoice parameters. The vulnerabilit...