CVE-2026-25594

Name of the Vulnerable Software and Affected Versions InvoicePlane versions prior to 1.7.1

Description InvoicePlane is a self-hosted open source application used for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) issue exists in the family name field in version 1.7.0. The family name value is displayed without proper HTML encoding within the family dropdown on the product form. If an administrator creates a family with a malicious name, the payload will execute in the browser of any administrator accessing the product form.

Recommendations Update to version 1.7.1 or later.