CVE-2026-24745 MEDIUM

CVE-2026-24745: InvoicePlane has a Stored Cross-Site Scripting (XSS) issue

Vendor Invoiceplane
Product InvoicePlane
Weakness CWE-79 · XSS
Published February 18, 2026
Last update February 19, 2026
View on NVD All CVEs

CVSS base score

5.7/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction Required
Confidentiality Low
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:H/A:L

What the vulnerability does

01Description

InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability occurs in the upload Login Logo functions of InvoicePlane version 1.7.0. In the Upload Login Logo, the application allows uploading svg files. Although administrator privileges are required to exploit it, this is still considered a critical vulnerability as it can cause actions such as unauthorized modification of application data, creation of persistent backdoors through stored malicious scripts, and full compromise of the application's integrity. Version 1.7.1 patches the issue.

Key dates

02Disclosure timeline

February 18, 2026 CVE published
February 19, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-56030 WordPress 10CentMail plugin <= 2.1.50 - Reflected Cross Site Scripting (XSS) vulnerability CVE-2024-51612 WordPress Reftagger Shortcode plugin <= 1.1 - Stored Cross Site Scripting (XSS) vulnerability CVE-2022-1435 WPCargo Track & Trace < 6.9.5 - Admin+ Stored Cross Site Scripting CVE-2023-50892 WordPress TheGem Theme <= 5.9.1 is vulnerable to Cross Site Scripting (XSS) CVE-2025-54747 WordPress Templatera Plugin <= 2.3.0 - Cross Site Scripting (XSS) Vulnerability