What is the CVSS score of CVE-2026-25548?

CVE-2026-25548 has a CVSS 3.1 base score of 9.1 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H. EPSS exploitation probability: 0.4%.

Which versions of PHP are affected by CVE-2026-25548?

InvoicePlane installations (versions 1.7.0+) face critical remote code execution risk that could allow attackers to take complete control of systems and access sensitive financial data.. A patch is available.

Is there a public PoC exploit available for CVE-2026-25548?

Yes, a public proof-of-concept exploit is available for CVE-2026-25548. Prioritise patching immediately. EPSS: 0.4%.

How to fix or mitigate CVE-2026-25548?

Within 24 hours: Identify all InvoicePlane instances in production and document versions; isolate or restrict network access to affected systems if patching cannot be completed immediately. Within 7 days: Apply available vendor patch to all InvoicePlane installations; verify patch deployment and test business continuity. Within 30 days: Conduct security assessment of affected systems, review access logs for exploitation attempts, and implement network monitoring for suspicious activity patterns.

PHP CVE-2026-25548

CRITICAL

Code Injection (CWE-94)

2026-02-18 security-advisories@github.com

PHP RCE LFI Invoiceplane

9.1

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

9.1 CRITICAL

AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:55 vuln.today

PoC Detected

Feb 20, 2026 - 18:45 vuln.today

Public exploit code

Patch released

Feb 20, 2026 - 18:45 nvd

Patch available

CVE Published

Feb 18, 2026 - 23:16 nvd

CRITICAL 9.1

DescriptionGitHub Advisory

InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A critical Remote Code Execution (RCE) vulnerability exists in InvoicePlane 1.7.0 through a chained Local File Inclusion (LFI) and Log Poisoning attack. An authenticated administrator can execute arbitrary system commands on the server by manipulating the public_invoice_template setting to include poisoned log files containing PHP code. Version 1.7.1 patches the issue.

AnalysisAI

Remote Code Execution in InvoicePlane self-hosted invoicing application through code injection. PoC and patch available.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Authenticate as administrator

Delivery

Manipulate public_invoice_template setting

Exploit

Include poisoned log file path

Execution

PHP code executes via LFI

Impact

Remote code execution achieved

Access

Authenticate as administrator

Delivery

Manipulate public_invoice_template setting

Exploit

Include poisoned log file path

Execution

PHP code executes via LFI

Impact

Remote code execution achieved

Vulnerability AssessmentAI

Exploitation	Administrator account credentials required. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	CVSS 9.1. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	Attacker exploits code injection to execute arbitrary code on the InvoicePlane server, accesses financial records, modifies invoices, or exfiltrates client data.
Remediation	Apply the available patch. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all InvoicePlane instances in production and document versions; isolate or restrict network access to affected systems if patching cannot be completed immediately. …

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-49952 CRITICAL Act Now POC

9.3 Jun 15

Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce

CVE-2026-49954 HIGH This Week POC

8.6 Jun 15

Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a

CVE-2026-49768 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to

CVE-2026-27053 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot

CVE-2026-49104 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo

CVE-2026-25548 vulnerability details – vuln.today

Back

PHP CVE-2026-25548

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

More from same product – last 7 days

Share

External POC / Exploit Code