CVE-2026-26281

Source
https://cve.org/CVERecord?id=CVE-2026-26281
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-26281.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-26281
Aliases
  • GHSA-ccpx-2v5c-cc24
Published
2026-02-18T23:03:08.876Z
Modified
2026-07-15T01:49:04.403538848Z
Severity
  • 4.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
InvoicePlane has Stored Cross-Site Scripting (XSS) Issue in Sumex Invoice View
Details

InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A stored cross-site scripting (XSS) vulnerability in the Sumex invoice view allows an authenticated user with client and invoice management privileges to execute arbitrary JavaScript in the browser of any user viewing the invoice. This can lead to session hijacking, data theft, or other malicious actions on behalf of the victim user. Version 1.7.1 patches the issue.

Database specific
{
    "cwe_ids": [
        "CWE-79"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/26xxx/CVE-2026-26281.json",
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/invoiceplane/invoiceplane

Affected ranges

Type
GIT
Repo
https://github.com/invoiceplane/invoiceplane
Events
Database specific
{
    "cpe": "cpe:2.3:a:invoiceplane:invoiceplane:1.7.0:-:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "1.7.0-NA"
        },
        {
            "last_affected": "1.7.0-NA"
        }
    ],
    "source": [
        "CPE_STRING",
        "REFERENCES"
    ]
}

Affected versions

1.*
1.7.0-NA
= 1.*
= 1.7.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-26281.json"