{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25596", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-03T01:02:46.717Z", "datePublished": "2026-02-18T22:59:44.627Z", "dateUpdated": "2026-02-19T16:33:52.856Z"}, "containers": {"cna": {"title": "InvoicePlane has Stored XSS via Product Unit Name in Invoice Item List", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/InvoicePlane/InvoicePlane/security/advisories/GHSA-3wjq-822q-98f4", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/InvoicePlane/InvoicePlane/security/advisories/GHSA-3wjq-822q-98f4"}, {"name": "https://github.com/InvoicePlane/InvoicePlane/commit/93622f2df88a860d89bfee56012cabb2942061d6", "tags": ["x_refsource_MISC"], "url": "https://github.com/InvoicePlane/InvoicePlane/commit/93622f2df88a860d89bfee56012cabb2942061d6"}], "affected": [{"vendor": "InvoicePlane", "product": "InvoicePlane", "versions": [{"version": "<= 1.7.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-18T22:59:44.627Z"}, "descriptions": [{"lang": "en", "value": "InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability exists in InvoicePlane 1.7.0 via the Product Unit Name fields. An authenticated administrator can inject malicious JavaScript that executes when any administrator views an invoice containing a product with the malicious unit. Version 1.7.1 patches the issue."}], "source": {"advisory": "GHSA-3wjq-822q-98f4", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-19T16:28:59.972711Z", "id": "CVE-2026-25596", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-19T16:33:52.856Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25596", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-19T16:28:59.972711Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-19T16:33:43.740Z"}}], "cna": {"title": "InvoicePlane has Stored XSS via Product Unit Name in Invoice Item List", "source": {"advisory": "GHSA-3wjq-822q-98f4", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 4.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "InvoicePlane", "product": "InvoicePlane", "versions": [{"status": "affected", "version": "<= 1.7.0"}]}], "references": [{"url": "https://github.com/InvoicePlane/InvoicePlane/security/advisories/GHSA-3wjq-822q-98f4", "name": "https://github.com/InvoicePlane/InvoicePlane/security/advisories/GHSA-3wjq-822q-98f4", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/InvoicePlane/InvoicePlane/commit/93622f2df88a860d89bfee56012cabb2942061d6", "name": "https://github.com/InvoicePlane/InvoicePlane/commit/93622f2df88a860d89bfee56012cabb2942061d6", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability exists in InvoicePlane 1.7.0 via the Product Unit Name fields. An authenticated administrator can inject malicious JavaScript that executes when any administrator views an invoice containing a product with the malicious unit. Version 1.7.1 patches the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-18T22:59:44.627Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25596", "state": "PUBLISHED", "dateUpdated": "2026-02-19T16:33:52.856Z", "dateReserved": "2026-02-03T01:02:46.717Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-18T22:59:44.627Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:invoiceplane:invoiceplane:*:*:*:*:*:*:*:*", "matchCriteriaId": "200F4F45-C04E-4F4E-9DF4-CE8D5ABEDB9F", "versionEndExcluding": "1.7.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability exists in InvoicePlane 1.7.0 via the Product Unit Name fields. An authenticated administrator can inject malicious JavaScript that executes when any administrator views an invoice containing a product with the malicious unit. Version 1.7.1 patches the issue."}, {"lang": "es", "value": "InvoicePlane es una aplicaci\u00f3n de c\u00f3digo abierto autoalojada para gestionar facturas, clientes y pagos. Una vulnerabilidad de cross-site scripting (XSS) almacenado existe en InvoicePlane 1.7.0 a trav\u00e9s de los campos Product Unit Name. Un administrador autenticado puede inyectar JavaScript malicioso que se ejecuta cuando cualquier administrador ve una factura que contiene un producto con la unidad maliciosa. La versi\u00f3n 1.7.1 soluciona el problema."}], "id": "CVE-2026-25596", "lastModified": "2026-02-20T17:07:57.800", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 2.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-18T23:16:20.073", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/InvoicePlane/InvoicePlane/commit/93622f2df88a860d89bfee56012cabb2942061d6"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/InvoicePlane/InvoicePlane/security/advisories/GHSA-3wjq-822q-98f4"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.7.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "InvoicePlane", "source": "cna", "vendor": "InvoicePlane"}, "product": "invoiceplane", "vendor": "invoiceplane"}], "analysis": {"en": {"generated_at": "2026-04-17T18:23:17.781897+00:00", "value": {"mitigation_remediation": ["Upgrade InvoicePlane to version 1.7.1 or later to remove the XSS vulnerability.", "Clean all existing product unit names that contain suspicious or unexpected characters and replace them with plain text.", "Apply output encoding to the product unit name field and enforce the principle of least privilege for administrative access."], "summary": {"action": "Apply Patch", "impact": "Stored XSS"}, "threat_synthesis": {"affected_systems": "Only the 1.7.0 release of InvoicePlane is affected. The vendor product is InvoicePlane, and the vulnerable component is the product unit name input used in the invoice item list. Version 1.7.1 includes a patch that removes the vulnerability.", "description_and_impact": "InvoicePlane is a self\u2011hosted invoicing platform that allows administrators to manage invoices, clients, and payments. A stored cross\u2011site scripting flaw exists in version 1.7.0. It occurs when an administrator creates or edits a product unit name; the value is saved without proper output encoding and is later rendered unescaped in the invoice item list. An attacker who has authenticated administrator rights can inject arbitrary JavaScript, which is executed in the browser of any administrator who views an invoice that contains a product with a malicious unit name. The flaw is identified as CWE\u201179, allowing the attacker to alter user\u2011agent behavior, steal session cookies, or deface the application.", "risk_and_exploitability": "The CVSS score is 4.8, classifying it as a medium severity issue, while the EPSS score is less than 1\u202f%, indicating a very low exploitation probability. The vulnerability requires authenticated administrative privileges, so it is not remotely exploitable by unauthenticated users. Because the flaw enables arbitrary script execution only in the administrator\u2019s browser, the immediate impact is limited to accounts that have invoicing rights. The flaw is not listed in the CISA KEV catalog, so no known active exploitation campaigns have been reported yet. Nonetheless, because any administrator viewing an affected invoice can become a vector for further attacks, the risk warrants timely patching."}}}}, "created": "2026-02-19T10:08:05.476848+00:00", "updated": "2026-04-17T18:30:05.653272+00:00", "vendors": ["invoiceplane", "invoiceplane$PRODUCT$invoiceplane"]}