CVE-2026-25596

Published February 18th, 2026

View on NVD ↗

CVSS v3

4.8

MEDIUM

CVSS v2

N/A

Affected

PROJECT

Description

InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability exists in InvoicePlane 1.7.0 via the Product Unit Name fields. An authenticated administrator can inject malicious JavaScript that executes when any administrator views an invoice containing a product with the malicious unit. Version 1.7.1 patches the issue.

InvoicePlane/InvoicePlane

A self-hosted open source application for managing your invoices, clients and payments.

GitHub

3.06K