{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25548", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-02T19:59:47.376Z", "datePublished": "2026-02-18T22:49:15.235Z", "dateUpdated": "2026-02-19T17:46:01.656Z"}, "containers": {"cna": {"title": "InvoicePlane Vulnerable to Remote Code Execution via Local File Inclusion and Log Poisoning", "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "lang": "en", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-98", "lang": "en", "description": "CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-117", "lang": "en", "description": "CWE-117: Improper Output Neutralization for Logs", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/InvoicePlane/InvoicePlane/security/advisories/GHSA-g6rw-m9mf-33ch", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/InvoicePlane/InvoicePlane/security/advisories/GHSA-g6rw-m9mf-33ch"}, {"name": "https://github.com/InvoicePlane/InvoicePlane/commit/93622f2df88a860d89bfee56012cabb2942061d6", "tags": ["x_refsource_MISC"], "url": "https://github.com/InvoicePlane/InvoicePlane/commit/93622f2df88a860d89bfee56012cabb2942061d6"}], "affected": [{"vendor": "InvoicePlane", "product": "InvoicePlane", "versions": [{"version": "<= 1.7.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-18T22:49:15.235Z"}, "descriptions": [{"lang": "en", "value": "InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A critical Remote Code Execution (RCE) vulnerability exists in InvoicePlane 1.7.0 through a chained Local File Inclusion (LFI) and Log Poisoning attack. An authenticated administrator can execute arbitrary system commands on the server by manipulating the `public_invoice_template` setting to include poisoned log files containing PHP code. Version 1.7.1 patches the issue."}], "source": {"advisory": "GHSA-g6rw-m9mf-33ch", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-19T17:07:35.625979Z", "id": "CVE-2026-25548", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-19T17:46:01.656Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25548", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-19T17:07:35.625979Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-19T17:07:37.588Z"}}], "cna": {"title": "InvoicePlane Vulnerable to Remote Code Execution via Local File Inclusion and Log Poisoning", "source": {"advisory": "GHSA-g6rw-m9mf-33ch", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "InvoicePlane", "product": "InvoicePlane", "versions": [{"status": "affected", "version": "<= 1.7.0"}]}], "references": [{"url": "https://github.com/InvoicePlane/InvoicePlane/security/advisories/GHSA-g6rw-m9mf-33ch", "name": "https://github.com/InvoicePlane/InvoicePlane/security/advisories/GHSA-g6rw-m9mf-33ch", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/InvoicePlane/InvoicePlane/commit/93622f2df88a860d89bfee56012cabb2942061d6", "name": "https://github.com/InvoicePlane/InvoicePlane/commit/93622f2df88a860d89bfee56012cabb2942061d6", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A critical Remote Code Execution (RCE) vulnerability exists in InvoicePlane 1.7.0 through a chained Local File Inclusion (LFI) and Log Poisoning attack. An authenticated administrator can execute arbitrary system commands on the server by manipulating the `public_invoice_template` setting to include poisoned log files containing PHP code. Version 1.7.1 patches the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-98", "description": "CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-117", "description": "CWE-117: Improper Output Neutralization for Logs"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-18T22:49:15.235Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25548", "state": "PUBLISHED", "dateUpdated": "2026-02-19T17:46:01.656Z", "dateReserved": "2026-02-02T19:59:47.376Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-18T22:49:15.235Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:invoiceplane:invoiceplane:*:*:*:*:*:*:*:*", "matchCriteriaId": "200F4F45-C04E-4F4E-9DF4-CE8D5ABEDB9F", "versionEndExcluding": "1.7.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A critical Remote Code Execution (RCE) vulnerability exists in InvoicePlane 1.7.0 through a chained Local File Inclusion (LFI) and Log Poisoning attack. An authenticated administrator can execute arbitrary system commands on the server by manipulating the `public_invoice_template` setting to include poisoned log files containing PHP code. Version 1.7.1 patches the issue."}, {"lang": "es", "value": "InvoicePlane es una aplicaci\u00f3n de c\u00f3digo abierto autoalojada para gestionar facturas, clientes y pagos. Una vulnerabilidad cr\u00edtica de ejecuci\u00f3n remota de c\u00f3digo (RCE) existe en InvoicePlane 1.7.0 a trav\u00e9s de un ataque encadenado de inclusi\u00f3n local de ficheros (LFI) y envenenamiento de logs. Un administrador autenticado puede ejecutar comandos de sistema arbitrarios en el servidor manipulando la configuraci\u00f3n 'public_invoice_template' para incluir ficheros de log envenenados que contienen c\u00f3digo PHP. La versi\u00f3n 1.7.1 corrige el problema."}], "id": "CVE-2026-25548", "lastModified": "2026-02-20T18:45:32.913", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-18T23:16:19.567", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/InvoicePlane/InvoicePlane/commit/93622f2df88a860d89bfee56012cabb2942061d6"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/InvoicePlane/InvoicePlane/security/advisories/GHSA-g6rw-m9mf-33ch"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}, {"lang": "en", "value": "CWE-98"}, {"lang": "en", "value": "CWE-117"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.7.0]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "InvoicePlane", "source": "cna", "vendor": "InvoicePlane"}, "product": "invoiceplane", "vendor": "invoiceplane"}], "analysis": {"en": {"generated_at": "2026-04-17T18:24:18.874416+00:00", "value": {"mitigation_remediation": ["Apply the official vendor update to InvoicePlane version 1.7.1 or later to remove the LFI and log poisoning logic. ", "Adjust or remove the public_invoice_template configuration so that it cannot point to arbitrary local files, ensuring that only approved template files are loaded. ", "Enforce strict access controls on the administrator interface, limiting the number of users who can modify system settings and regularly audit configuration changes."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The affected product is InvoicePlane\u2019s web application, specifically the 1.7.0 release. All instances running this version without the 1.7.1 patch are susceptible. ", "description_and_impact": "InvoicePlane 1.7.0 suffered a remote code execution flaw that combines a local file inclusion weakness with log poisoning. An authenticated administrator can change the public_invoice_template setting to point to a log file that contains injected PHP code, enabling the execution of arbitrary system commands on the host. The vulnerabilities align with CWE\u2011117, CWE\u201194, and CWE\u201198 and allow the attacker to fully compromise confidentiality, integrity, and availability of the server. ", "risk_and_exploitability": "The CVSS score of 9.1 marks the flaw as critical, but the EPSS score of less than 1% indicates a low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog, suggesting no known exploitation in the wild. The attack requires authenticated administrative privileges and leverages the configuration setting for public invoices, providing a clear vector for exploitation. Impact assessment therefore remains high due to the severe damage that could result if the flaw is leveraged by insiders or compromised administrators."}}}}, "created": "2026-02-19T10:08:08.016155+00:00", "updated": "2026-04-17T18:30:05.654370+00:00", "vendors": ["invoiceplane", "invoiceplane$PRODUCT$invoiceplane"]}