CVE-2026-24744
MEDIUMCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:H/A:L
Lifecycle Timeline
4Tags
Description
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability occurs in the Edit Invoices functions of InvoicePlane version 1.7.0. When editing invoices, the application does not validate user input at the `invoice_number` parameter. Although administrator privileges are required to exploit it, this is still considered a critical vulnerability as it can cause actions such as unauthorized modification of application data, creation of persistent backdoors through stored malicious scripts, and full compromise of the application's integrity. Version 1.7.1 patches the issue.
Analysis
Stored XSS in InvoicePlane 1.7.0's invoice editing function fails to sanitize the invoice_number parameter, allowing authenticated administrators to inject malicious scripts that persist in the application. Public exploit code exists for this vulnerability, enabling attackers with admin access to modify data, create backdoors, and compromise application integrity. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 30 days: Identify affected systems running the Edit Invoices functions of InvoicePlane and apply vendor patches as part of regular patch cycle. Verify Content-Security-Policy and output encoding.
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today