PT-2026-20546 · Unknown · Invoiceplane

Lagathos

Published

2026-02-18

Updated

2026-02-24

CVE-2026-25548

CVSS v3.1

9.1

Critical

Vector

AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions InvoicePlane versions 1.7.0 through 1.7.0

Description InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A critical Remote Code Execution (RCE) issue exists through a chained Local File Inclusion (LFI) and Log Poisoning attack. An authenticated administrator can execute arbitrary system commands on the server by manipulating the public invoice template setting to include poisoned log files containing PHP code. The vulnerability involves manipulating the public invoice template setting.

Recommendations Update InvoicePlane to version 1.7.1.

Exploit

Fix

RCE

Code Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-117CWE-94CWE-98

Related Identifiers

CVE-2026-25548

GHSA-G6RW-M9MF-33CH

Affected Products

Invoiceplane

PT-2026-20546 · Unknown · Invoiceplane

CVE-2026-25548

Weakness Enumeration

Related Identifiers

Affected Products

References · 10