InvoicePlane has Stored Cross-Site Scripting Issue in Identifier Formatting

5.4 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Description

InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability exists in InvoicePlane (latest version) that allows an authenticated user with permissions to manage Invoice Groups to inject malicious JavaScript into the "Identifier Format" field. This script executes when any user views the invoice list or the main dashboard. Version 1.7.1 patches the issue.

Basic Information

ID CVE-2026-26270

Source GitHub_M

Published Feb 18, 2026 at 23:01

Affected Product

Vendor InvoicePlane

Product InvoicePlane

Version = 1.7.0

Affected Versions InvoicePlane InvoicePlane = 1.7.0

CWE Classification

CWE-79

References

{
    "lastseen": "",
    "description": "InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability exists in InvoicePlane (latest version) that allows an authenticated user with permissions to manage Invoice Groups to inject malicious JavaScript into the \"Identifier Format\" field. This script executes when any user views the invoice list or the main dashboard. Version 1.7.1 patches the issue.",
    "published": "2026-02-18T23:01:41.222Z",
    "modified": "2026-02-18T23:01:41.222Z",
    "type": "cve",
    "title": "InvoicePlane has Stored Cross-Site Scripting Issue in Identifier Formatting",
    "source": "GitHub_M",
    "references": "https://github.com/InvoicePlane/InvoicePlane/security/advisories/GHSA-432m-jv69-qp5j\nhttps://github.com/InvoicePlane/InvoicePlane/commit/93622f2df88a860d89bfee56012cabb2942061d6",
    "id": "CVE-2026-26270",
    "bulletinFamily": "",
    "cwe": [
        "CWE-79"
    ],
    "cvelist": null,
    "sourceData": "InvoicePlane InvoicePlane = 1.7.0",
    "sourceHref": "",
    "cvss": {
        "score": 5.4,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "InvoicePlane",
    "version": "= 1.7.0",
    "vendor": "InvoicePlane",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

InvoicePlane has Stored Cross-Site Scripting Issue in Identifier Formatting_CVE-2026-26270