Home

Description

InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A critical Remote Code Execution (RCE) vulnerability exists in InvoicePlane 1.7.0 through a chained Local File Inclusion (LFI) and Log Poisoning attack. An authenticated administrator can execute arbitrary system commands on the server by manipulating the `public_invoice_template` setting to include poisoned log files containing PHP code. Version 1.7.1 patches the issue.

PUBLISHED Reserved 2026-02-02 | Published 2026-02-18 | Updated 2026-02-19 | Assigner GitHub_M




CRITICAL: 9.1CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Problem types

CWE-94: Improper Control of Generation of Code ('Code Injection')

CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

CWE-117: Improper Output Neutralization for Logs

Product status

<= 1.7.0
affected

References

github.com/...ePlane/security/advisories/GHSA-g6rw-m9mf-33ch

github.com/...ommit/93622f2df88a860d89bfee56012cabb2942061d6

cve.org (CVE-2026-25548)

nvd.nist.gov (CVE-2026-25548)

Download JSON