CVE-2026-24744

Name of the Vulnerable Software and Affected Versions InvoicePlane version 1.7.0

Description InvoicePlane is a self-hosted open source application used for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) issue exists in the Edit Invoices functionality. The application does not validate user input for the invoice number parameter when editing invoices. Exploitation requires administrator privileges and could lead to unauthorized modification of application data, the creation of persistent backdoors through stored malicious scripts, and a full compromise of the application’s integrity.

Recommendations Update to version 1.7.1 to address the issue.