CVE-2026-24743 Overview
A Stored Cross-Site Scripting (XSS) vulnerability has been identified in InvoicePlane, a self-hosted open source application for managing invoices, clients, and payments. The vulnerability exists in the Upload Invoice Logo function in InvoicePlane version 1.7.0, which allows the application to accept SVG file uploads without proper sanitization. Although administrator privileges are required to exploit this vulnerability, successful exploitation can lead to severe security consequences.
Critical Impact
This vulnerability enables unauthorized modification of application data, creation of persistent backdoors through stored malicious scripts, and full compromise of the application's integrity through administrator-level XSS attacks.
Affected Products
- InvoicePlane version 1.7.0
- Self-hosted InvoicePlane deployments with SVG upload enabled
- Environments where administrators can upload custom invoice logos
Discovery Timeline
- 2026-02-18 - CVE-2026-24743 published to NVD
- 2026-02-19 - Last updated in NVD database
Technical Details for CVE-2026-24743
Vulnerability Analysis
This Stored Cross-Site Scripting (XSS) vulnerability (CWE-79) resides in the invoice logo upload functionality of InvoicePlane. The application allows administrators to upload SVG files as custom invoice logos without adequate input validation or sanitization. SVG files are XML-based and can contain embedded JavaScript code that executes when the file is rendered in a browser context.
While administrator privileges are required to upload the malicious file, the stored nature of this XSS vulnerability means that the malicious payload persists on the server and executes whenever the affected page is loaded by any user, including other administrators or potentially lower-privileged users viewing invoices.
Root Cause
The root cause of this vulnerability is improper input validation in the file upload functionality. The application fails to sanitize SVG file content before storage, allowing embedded script elements within SVG files to persist and execute in user browsers. The Upload Invoice Logo feature accepts SVG files without stripping potentially dangerous elements such as <script> tags, event handlers (e.g., onload, onclick), or other executable content embedded within the SVG markup.
Attack Vector
The attack is network-based and requires an authenticated administrator to upload a specially crafted SVG file containing malicious JavaScript. Once uploaded as an invoice logo, the malicious script executes whenever the logo is rendered in a user's browser. Attack scenarios include:
- An attacker with compromised administrator credentials uploads a malicious SVG logo
- A malicious insider with administrator access plants a persistent backdoor
- The malicious script could steal session tokens, modify application data, or redirect users to phishing pages
The security patches in version 1.7.1 address the underlying framework dependencies:
// Source: https://github.com/InvoicePlane/InvoicePlane/commit/93622f2df88a860d89bfee56012cabb2942061d6
public function run($config = null, &$data = null)
{
- if (is_object($config)) {
- $this->CI = &$config;
- }
+ (is_object($config)) && $this->CI = &$config;
return parent::run($data);
}
Additionally, the framework path was updated to a patched version:
// Source: https://github.com/InvoicePlane/InvoicePlane/commit/93622f2df88a860d89bfee56012cabb2942061d6
* This variable must contain the name of your "system" directory.
* Set the path if it is not in the same directory as this file.
*/
-$system_path = 'vendor/codeigniter/framework/system';
+$system_path = 'vendor/pocketarc/codeigniter/system';
/*
*---------------------------------------------------------------
Detection Methods for CVE-2026-24743
Indicators of Compromise
- SVG files in the invoice logo upload directory containing <script> tags or JavaScript event handlers
- Unexpected SVG file uploads with embedded onload, onclick, onerror, or similar attributes
- Browser console errors or unexpected script execution when viewing invoices or logo-containing pages
- Audit logs showing logo uploads followed by suspicious account activity or data modifications
Detection Strategies
- Implement file content inspection for all SVG uploads to detect embedded JavaScript or event handlers
- Monitor web server logs for requests to SVG files followed by unusual POST requests or data exfiltration patterns
- Deploy Content Security Policy (CSP) headers to detect and report inline script execution attempts
- Configure Web Application Firewalls (WAF) to inspect SVG file contents for malicious payloads
Monitoring Recommendations
- Enable comprehensive logging for all file upload operations in InvoicePlane
- Set up alerts for SVG file uploads to administrative upload directories
- Monitor for changes to invoice logos or other uploaded assets
- Review user session activity following any administrative upload operations
How to Mitigate CVE-2026-24743
Immediate Actions Required
- Upgrade InvoicePlane to version 1.7.1 or later immediately
- Audit existing uploaded SVG files for malicious content and remove any suspicious files
- Review administrator account access and rotate credentials if compromise is suspected
- Implement Content Security Policy headers to mitigate script execution from uploaded content
Patch Information
InvoicePlane version 1.7.1 addresses this vulnerability. The patch includes updates to the form validation library and framework dependencies that improve input handling. Organizations should apply this update immediately by following the standard InvoicePlane upgrade procedure.
Detailed patch information is available at:
Workarounds
- Disable SVG file uploads for invoice logos until the patch can be applied
- Restrict administrator access to only trusted personnel until the update is deployed
- Implement server-side SVG sanitization using libraries that strip script elements before storage
- Configure web server to serve SVG files with Content-Disposition: attachment headers to prevent inline rendering
# Configuration example - Apache .htaccess to force SVG downloads
<FilesMatch "\.svg$">
Header set Content-Disposition "attachment"
Header set X-Content-Type-Options "nosniff"
</FilesMatch>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
