CVE-2026-24745
Published: 18 February 2026
Summary
CVE-2026-24745 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Invoiceplane Invoiceplane. Its CVSS base score is 5.7 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-3 (Malicious Code Protection).
Deeper analysis
CVE-2026-24745 is a Stored Cross-Site Scripting (XSS) vulnerability, tied to CWE-79, affecting the Upload Login Logo function in InvoicePlane version 1.7.0. InvoicePlane is a self-hosted open-source application designed for managing invoices, clients, and payments. The flaw stems from the application's allowance of SVG file uploads without adequate validation or sanitization, enabling the storage and execution of malicious scripts.
Exploitation requires administrator privileges (PR:H) and user interaction (UI:R), with network access (AV:N) and low attack complexity (AC:L). An authorized administrator can upload a malicious SVG file containing an XSS payload via the Login Logo upload feature. Successful exploitation enables unauthorized modification of application data, creation of persistent backdoors through stored scripts, and full compromise of the application's integrity, as reflected in the CVSS v3.1 base score of 5.7 (AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:H/A:L).
InvoicePlane version 1.7.1 addresses the vulnerability with a patch. Additional details are available in the GitHub security advisory at https://github.com/InvoicePlane/InvoicePlane/security/advisories/GHSA-r9rq-f946-6x54 and the specific commit at https://github.com/InvoicePlane/InvoicePlane/commit/93622f2df88a860d89bfee56012cabb2942061d6.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-8096
Vulnerability details
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability occurs in the upload Login Logo functions of InvoicePlane version 1.7.0. In the Upload Login Logo, the application allows uploading svg…
more
files. Although administrator privileges are required to exploit it, this is still considered a critical vulnerability as it can cause actions such as unauthorized modification of application data, creation of persistent backdoors through stored malicious scripts, and full compromise of the application's integrity. Version 1.7.1 patches the issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS via unsanitized SVG upload directly enables exploitation of the network-accessible web app (T1190) to execute attacker-controlled JavaScript (T1059.007), facilitating browser session hijacking (T1185) and web session cookie theft (T1539) for data modification and persistent client-side backdoors.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of all input, including uploaded SVG files, which would have blocked the malicious script payload before storage.
Mandates malicious code detection mechanisms that can scan or block executable content inside SVG uploads before they are persisted.
Requires integrity verification of software and information (including user-uploaded files) to detect unauthorized or malicious modifications prior to use.