CVE-2026-25594 MEDIUM

CVE-2026-25594: InvoicePlane has Stored XSS via Family Name in Product Form

Vendor Invoiceplane
Product InvoicePlane
Weakness CWE-79 · XSS
Published February 18, 2026
Last update February 19, 2026

CVSS base score

4.8/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability exists in InvoicePlane 1.7.0 via the Family Name field. The `family_name` value is rendered without HTML encoding inside the family dropdown on the product form. When an administrator creates a family with a malicious name, the payload executes in the browser of any administrator who visits the product form. Version 1.7.1 patches the issue.

Key dates

02Disclosure timeline

February 18, 2026 CVE published
February 19, 2026 Record updated