Cyber Resilience

CVE-2026-24745

MediumPublic PoC

Published: 18 February 2026

Published
18 February 2026
Modified
20 February 2026
KEV Added
Patch
CVSS Score v3.1 5.7 CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:H/A:L
EPSS Score 0.0006 18.6th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-24745 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Invoiceplane Invoiceplane. Its CVSS base score is 5.7 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-3 (Malicious Code Protection).

Deeper analysis

CVE-2026-24745 is a Stored Cross-Site Scripting (XSS) vulnerability, tied to CWE-79, affecting the Upload Login Logo function in InvoicePlane version 1.7.0. InvoicePlane is a self-hosted open-source application designed for managing invoices, clients, and payments. The flaw stems from the application's allowance of SVG file uploads without adequate validation or sanitization, enabling the storage and execution of malicious scripts.

Exploitation requires administrator privileges (PR:H) and user interaction (UI:R), with network access (AV:N) and low attack complexity (AC:L). An authorized administrator can upload a malicious SVG file containing an XSS payload via the Login Logo upload feature. Successful exploitation enables unauthorized modification of application data, creation of persistent backdoors through stored scripts, and full compromise of the application's integrity, as reflected in the CVSS v3.1 base score of 5.7 (AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:H/A:L).

InvoicePlane version 1.7.1 addresses the vulnerability with a patch. Additional details are available in the GitHub security advisory at https://github.com/InvoicePlane/InvoicePlane/security/advisories/GHSA-r9rq-f946-6x54 and the specific commit at https://github.com/InvoicePlane/InvoicePlane/commit/93622f2df88a860d89bfee56012cabb2942061d6.

EU & UK References

Vulnerability details

InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability occurs in the upload Login Logo functions of InvoicePlane version 1.7.0. In the Upload Login Logo, the application allows uploading svg…

more

files. Although administrator privileges are required to exploit it, this is still considered a critical vulnerability as it can cause actions such as unauthorized modification of application data, creation of persistent backdoors through stored malicious scripts, and full compromise of the application's integrity. Version 1.7.1 patches the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
T1185 Browser Session Hijacking Collection
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
T1539 Steal Web Session Cookie Credential Access
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
Why these techniques?

Stored XSS via unsanitized SVG upload directly enables exploitation of the network-accessible web app (T1190) to execute attacker-controlled JavaScript (T1059.007), facilitating browser session hijacking (T1185) and web session cookie theft (T1539) for data modification and persistent client-side backdoors.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-24744Same product: Invoiceplane Invoiceplane
CVE-2026-24743Same product: Invoiceplane Invoiceplane
CVE-2026-24746Same product: Invoiceplane Invoiceplane
CVE-2024-56975Same product: Invoiceplane Invoiceplane
CVE-2026-25548Same product: Invoiceplane Invoiceplane
CVE-2025-67084Same product: Invoiceplane Invoiceplane
CVE-2026-23491Same product: Invoiceplane Invoiceplane
CVE-2025-67949Shared CWE-79
CVE-2024-56033Shared CWE-79
CVE-2025-23549Shared CWE-79

Affected Assets

invoiceplane
invoiceplane
1.7.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of all input, including uploaded SVG files, which would have blocked the malicious script payload before storage.

preventdetect

Mandates malicious code detection mechanisms that can scan or block executable content inside SVG uploads before they are persisted.

prevent

Requires integrity verification of software and information (including user-uploaded files) to detect unauthorized or malicious modifications prior to use.

References