CVE-2026-24745

Name of the Vulnerable Software and Affected Versions InvoicePlane version 1.7.0

Description InvoicePlane is a self-hosted open source application used for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) issue exists in the upload Login Logo function. The application permits the uploading of SVG files. While administrator privileges are needed to exploit this, it is considered a critical issue because it could lead to unauthorized modification of application data, the creation of persistent backdoors through stored malicious scripts, and complete compromise of the application’s integrity.

Recommendations Update to version 1.7.1.