CVE-2026-25548
Published: 18 February 2026
Summary
CVE-2026-25548 is a critical-severity Code Injection (CWE-94) vulnerability in Invoiceplane Invoiceplane. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 41.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the RCE by requiring timely patching to InvoicePlane 1.7.1, which resolves the LFI and log poisoning flaws.
Validates and sanitizes inputs to the public_invoice_template setting and log entries to block malicious PHP code injection and LFI exploitation.
Enforces secure configuration settings for the application to restrict public_invoice_template from including arbitrary or poisoned log files.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a critical RCE in a public-facing web application (InvoicePlane) exploitable remotely by authenticated admins via LFI and log poisoning, directly mapping to exploitation of public-facing applications.
NVD Description
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A critical Remote Code Execution (RCE) vulnerability exists in InvoicePlane 1.7.0 through a chained Local File Inclusion (LFI) and Log Poisoning attack. An authenticated administrator can execute…
more
arbitrary system commands on the server by manipulating the `public_invoice_template` setting to include poisoned log files containing PHP code. Version 1.7.1 patches the issue.
Deeper analysisAI
CVE-2026-25548 is a critical remote code execution (RCE) vulnerability affecting InvoicePlane, a self-hosted open-source application for managing invoices, clients, and payments. The flaw, present in version 1.7.0, stems from a chained local file inclusion (LFI) and log poisoning attack vector, mapped to CWEs-94 (Code Injection), CWE-98 (PHP File Inclusion), and CWE-117 (Log Injection). It carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H), highlighting its high severity due to network accessibility, low complexity, and potential for complete confidentiality, integrity, and availability impact with a scope change.
An authenticated administrator can exploit this vulnerability by manipulating the `public_invoice_template` setting to include poisoned log files containing arbitrary PHP code. This triggers the LFI to read and execute the malicious code from the logs, allowing the attacker to run arbitrary system commands on the server. Exploitation requires high privileges but no user interaction, enabling full server compromise from a remote network position.
The InvoicePlane GitHub security advisory (GHSA-g6rw-m9mf-33ch) and patching commit (93622f2df88a860d89bfee56012cabb2942061d6) confirm that upgrading to version 1.7.1 resolves the issue by addressing the LFI and log poisoning flaws in the template handling. Security practitioners should prioritize patching affected InvoicePlane 1.7.0 installations, especially in environments with admin access controls.
Details
- CWE(s)