CVE-2026-25548

Name of the Vulnerable Software and Affected Versions InvoicePlane versions 1.7.0 through 1.7.0

Description InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A critical Remote Code Execution (RCE) issue exists through a chained Local File Inclusion (LFI) and Log Poisoning attack. An authenticated administrator can execute arbitrary system commands on the server by manipulating the public invoice template setting to include poisoned log files containing PHP code. The vulnerability involves manipulating the public invoice template setting.

Recommendations Update InvoicePlane to version 1.7.1.