CVE-2026-24746
HIGH EPSS 19.7%
Published Feb 18, 20264mo ago · Modified Jun 17, 20261w ago
7.5 CVSS 3.1
Published Feb 18, 2026 4mo ago
Last Modified Jun 17, 2026 1w ago
Description
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability occurs in the Edit Quotes functions of InvoicePlane version 1.7.0. In the Editing Quotes function, the application does not validate user input at the quote_number parameter. Although administrator privileges are required to exploit it, this is still considered a critical vulnerability as it can cause actions such as unauthorized modification of application data, creation of persistent backdoors through stored malicious scripts, and full compromise of the application's integrity. Version 1.7.1 patches the issue.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:H/A:L Attack Vector Network
Attack Complexity Low
Privileges Required High
User Interaction Required
Scope Changed
Confidentiality Low
Integrity High
Availability Low
Threat Intelligence
EPSS Exploit Probability
19.7% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available
Weaknesses 1
CWE-79 Cross-site Scripting Injection
Affected Products 1
| Vendor | Product | Version | Range |
|---|---|---|---|
| invoiceplane | invoiceplane | 1.7.0 | any |
References 2
- github.com https://github.com/InvoicePlane/InvoicePlane/commit/93622f2df88a860d89bfee56012cabb2942061d6
- github.com https://github.com/InvoicePlane/InvoicePlane/security/advisories/GHSA-73x8-gr6v-vjvj
Remediation
- github.com https://github.com/InvoicePlane/InvoicePlane/commit/93622f2df88a860d89bfee56012cabb2942061d6