Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools

InvoicePlane

Source -

CNA

BOS Name -

N/A

CNA CVEs -

4

ADP CVEs -

0

CISA CVEs -

0

NVD CVEs -

0
Related CVEsRelated ProductsRelated AssignersReports
4Vulnerabilities found
CVE-2026-24744
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-5.7||MEDIUM
EPSS-Not Assigned
Published-18 Feb, 2026 | 21:01
Updated-18 Feb, 2026 | 21:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
InvoicePlane has a Stored Cross-Site Scripting (XSS) issue

InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability occurs in the Edit Invoices functions of InvoicePlane version 1.7.0. When editing invoices, the application does not validate user input at the `invoice_number` parameter. Although administrator privileges are required to exploit it, this is still considered a critical vulnerability as it can cause actions such as unauthorized modification of application data, creation of persistent backdoors through stored malicious scripts, and full compromise of the application's integrity. Version 1.7.1 patches the issue.

Action-Not Available
Vendor-InvoicePlane
Product-InvoicePlane
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-24743
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-5.7||MEDIUM
EPSS-Not Assigned
Published-18 Feb, 2026 | 20:59
Updated-18 Feb, 2026 | 21:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
InvoicePlane has a Stored Cross-Site Scripting (XSS) issue

InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability occurs in the upload Invoice Logo functions of InvoicePlane version 1.7.0. The Upload Invoice Logo function allows the application to upload svg files. Although administrator privileges are required to exploit it, this is still considered a critical vulnerability as it can cause actions such as unauthorized modification of application data, creation of persistent backdoors through stored malicious scripts, and full compromise of the application's integrity. Version 1.7.1 patches the issue.

Action-Not Available
Vendor-InvoicePlane
Product-InvoicePlane
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-24746
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-5.7||MEDIUM
EPSS-Not Assigned
Published-18 Feb, 2026 | 20:51
Updated-18 Feb, 2026 | 22:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
InvoicePlane has a Stored Cross-Site Scripting (XSS) issue

InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability occurs in the Edit Quotes functions of InvoicePlane version 1.7.0. In the Editing Quotes function, the application does not validate user input at the quote_number parameter. Although administrator privileges are required to exploit it, this is still considered a critical vulnerability as it can cause actions such as unauthorized modification of application data, creation of persistent backdoors through stored malicious scripts, and full compromise of the application's integrity. Version 1.7.1 patches the issue.

Action-Not Available
Vendor-InvoicePlane
Product-InvoicePlane
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-23491
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-9.3||CRITICAL
EPSS-Not Assigned
Published-18 Feb, 2026 | 19:52
Updated-18 Feb, 2026 | 20:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
InvoicePlane has Unauthenticated Path Traversal in Guest Controller

InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A path traversal vulnerability exists in the `get_file` method of the `Guest` module's `Get` controller in InvoicePlane up to and including through 1.6.3. The vulnerability allows unauthenticated attackers to read arbitrary files on the server by manipulating the input filename. This leads to the disclosure of sensitive information, including configuration files with database credentials. Version 1.6.4 fixes the issue.

Action-Not Available
Vendor-InvoicePlane
Product-InvoicePlane
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')