Cyber Resilience

CVE-2026-25548

CriticalPublic PoCRCE

Published: 18 February 2026

Published
18 February 2026
Modified
20 February 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0077 51.0th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-25548 is a critical-severity Code Injection (CWE-94) vulnerability in Invoiceplane Invoiceplane. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 49.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-25548 is a critical remote code execution (RCE) vulnerability affecting InvoicePlane, a self-hosted open-source application for managing invoices, clients, and payments. The flaw, present in version 1.7.0, stems from a chained local file inclusion (LFI) and log poisoning attack vector, mapped to CWEs-94 (Code Injection), CWE-98 (PHP File Inclusion), and CWE-117 (Log Injection). It carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H), highlighting its high severity due to network accessibility, low complexity, and potential for complete confidentiality, integrity, and availability impact with a scope change.

An authenticated administrator can exploit this vulnerability by manipulating the `public_invoice_template` setting to include poisoned log files containing arbitrary PHP code. This triggers the LFI to read and execute the malicious code from the logs, allowing the attacker to run arbitrary system commands on the server. Exploitation requires high privileges but no user interaction, enabling full server compromise from a remote network position.

The InvoicePlane GitHub security advisory (GHSA-g6rw-m9mf-33ch) and patching commit (93622f2df88a860d89bfee56012cabb2942061d6) confirm that upgrading to version 1.7.1 resolves the issue by addressing the LFI and log poisoning flaws in the template handling. Security practitioners should prioritize patching affected InvoicePlane 1.7.0 installations, especially in environments with admin access controls.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A critical Remote Code Execution (RCE) vulnerability exists in InvoicePlane 1.7.0 through a chained Local File Inclusion (LFI) and Log Poisoning attack. An authenticated administrator can execute…

more

arbitrary system commands on the server by manipulating the `public_invoice_template` setting to include poisoned log files containing PHP code. Version 1.7.1 patches the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability is a critical RCE in a public-facing web application (InvoicePlane) exploitable remotely by authenticated admins via LFI and log poisoning, directly mapping to exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-56975Same product: Invoiceplane Invoiceplane
CVE-2025-67084Same product: Invoiceplane Invoiceplane
CVE-2026-24745Same product: Invoiceplane Invoiceplane
CVE-2026-24744Same product: Invoiceplane Invoiceplane
CVE-2026-24746Same product: Invoiceplane Invoiceplane
CVE-2026-23491Same product: Invoiceplane Invoiceplane
CVE-2026-24743Same product: Invoiceplane Invoiceplane
CVE-2025-67525Shared CWE-98
CVE-2026-22443Shared CWE-98
CVE-2026-22403Shared CWE-98

Affected Assets

invoiceplane
invoiceplane
≤ 1.7.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the RCE by requiring timely patching to InvoicePlane 1.7.1, which resolves the LFI and log poisoning flaws.

prevent

Validates and sanitizes inputs to the public_invoice_template setting and log entries to block malicious PHP code injection and LFI exploitation.

prevent

Enforces secure configuration settings for the application to restrict public_invoice_template from including arbitrary or poisoned log files.

References