CVE-2026-24743

Name of the Vulnerable Software and Affected Versions InvoicePlane version 1.7.0

Description InvoicePlane is a self-hosted open source application used for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) issue exists in the upload Invoice Logo function. The function allows the application to upload svg files. While administrator privileges are needed to exploit this, it is considered a critical issue because it could lead to unauthorized modification of application data, the creation of persistent backdoors through stored malicious scripts, and a full compromise of the application’s integrity.

Recommendations Update to version 1.7.1.