CVE-2026-24746

Name of the Vulnerable Software and Affected Versions InvoicePlane version 1.7.0

Description InvoicePlane is a self-hosted open source application used for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) issue exists in the Edit Quotes function. The application does not validate user input at the quote number parameter, potentially allowing unauthorized modification of application data, creation of persistent backdoors through stored malicious scripts, and full compromise of the application's integrity. Administrator privileges are required to exploit this issue.

Recommendations Versions prior to 1.7.1 are affected. Update to version 1.7.1 or later.