CVE-2026-24745 Overview
A Stored Cross-Site Scripting (XSS) vulnerability has been identified in InvoicePlane, a self-hosted open source application for managing invoices, clients, and payments. The vulnerability exists in the Upload Login Logo functionality of InvoicePlane version 1.7.0, where the application improperly allows the upload of SVG files without adequate sanitization. While administrator privileges are required for exploitation, the persistent nature of stored XSS makes this a significant security concern that can lead to unauthorized modification of application data, creation of persistent backdoors through stored malicious scripts, and full compromise of the application's integrity.
Critical Impact
Stored XSS in the login logo upload function allows attackers with administrator access to inject persistent malicious scripts, potentially compromising all users who view the login page and enabling full application takeover.
Affected Products
- InvoicePlane version 1.7.0
- Self-hosted InvoicePlane deployments with SVG upload enabled
- Systems where administrators have access to upload custom login logos
Discovery Timeline
- February 18, 2026 - CVE-2026-24745 published to NVD
- February 19, 2026 - Last updated in NVD database
Technical Details for CVE-2026-24745
Vulnerability Analysis
This vulnerability falls under CWE-79 (Improper Neutralization of Input During Web Page Generation), commonly known as Cross-Site Scripting. The Upload Login Logo feature in InvoicePlane 1.7.0 accepts SVG file uploads without properly sanitizing the file contents. SVG files are XML-based and can contain embedded JavaScript code within <script> tags or event handlers like onload, onclick, and similar attributes.
When an administrator uploads a malicious SVG file as the login logo, the embedded script content is stored on the server and subsequently executed in the browsers of any user who visits the login page. This creates a persistent attack vector that can affect all users of the application, including other administrators.
The network-based attack vector combined with the requirement for high privileges (administrator access) and user interaction (victim visiting the login page) characterizes this as an authenticated stored XSS vulnerability with significant impact on application integrity.
Root Cause
The root cause of this vulnerability stems from inadequate input validation and sanitization of SVG file uploads in the login logo upload functionality. The application fails to:
- Properly validate and sanitize SVG file contents before storage
- Strip potentially dangerous elements such as <script> tags and JavaScript event handlers
- Implement Content Security Policy (CSP) headers to mitigate script execution
- Consider SVG files as potentially executable content requiring special handling
Attack Vector
The attack leverages the network-accessible upload functionality to inject malicious content. An attacker with administrator credentials can craft an SVG file containing malicious JavaScript payloads. When uploaded as the login logo, this file is served to all users visiting the login page. The embedded scripts execute in the context of the victim's browser session, potentially allowing:
- Session hijacking through cookie theft
- Keylogging of login credentials
- Defacement of the application interface
- Redirection to phishing pages
- Further privilege escalation attacks
// Security patch in application/libraries/MY_Form_validation.php - Version 1.7.1 to develop (#1463)
public function run($config = null, &$data = null)
{
- if (is_object($config)) {
- $this->CI = &$config;
- }
+ (is_object($config)) && $this->CI = &$config;
return parent::run($data);
}
Source: GitHub Commit Update
// Security patch in index.php - Version 1.7.1 to develop (#1463)
* This variable must contain the name of your "system" directory.
* Set the path if it is not in the same directory as this file.
*/
-$system_path = 'vendor/codeigniter/framework/system';
+$system_path = 'vendor/pocketarc/codeigniter/system';
/*
*---------------------------------------------------------------
Source: GitHub Commit Update
Detection Methods for CVE-2026-24745
Indicators of Compromise
- SVG files in the login logo upload directory containing <script> tags or JavaScript event handlers
- Unusual or obfuscated content within uploaded SVG files
- Web server logs showing requests to SVG resources with unusual query parameters
- Reports from users experiencing unexpected browser behavior on the login page
Detection Strategies
- Implement file integrity monitoring on the upload directories to detect unauthorized or modified SVG files
- Deploy web application firewalls (WAF) with rules to inspect uploaded file contents for embedded scripts
- Review server access logs for suspicious administrator activity related to logo upload functionality
- Configure browser-based XSS auditors and Content Security Policy headers to detect and block inline script execution
Monitoring Recommendations
- Enable detailed logging for all file upload operations within InvoicePlane
- Set up alerts for any SVG file uploads to the login logo directory
- Monitor for anomalous administrator login patterns that may indicate credential compromise
- Implement network traffic analysis to detect data exfiltration attempts originating from the login page
How to Mitigate CVE-2026-24745
Immediate Actions Required
- Upgrade InvoicePlane to version 1.7.1 or later immediately
- Review and remove any existing SVG files uploaded as login logos in version 1.7.0 installations
- Audit administrator accounts for unauthorized access or suspicious activity
- Consider temporarily disabling the custom login logo feature until the patch is applied
Patch Information
InvoicePlane version 1.7.1 addresses this vulnerability. The security patch is available through the official GitHub repository. For detailed patch information, refer to the GitHub Security Advisory and the GitHub Commit.
Workarounds
- Restrict SVG file uploads by configuring the web server to reject SVG files in the logo upload directory
- Implement server-side SVG sanitization using libraries that strip JavaScript content from uploaded files
- Deploy Content Security Policy (CSP) headers to prevent inline script execution
- Limit administrator access to trusted personnel only and enable multi-factor authentication for admin accounts
# Apache configuration to block SVG uploads in the logo directory
<Directory "/var/www/invoiceplane/uploads/logos">
<FilesMatch "\.svg$">
Require all denied
</FilesMatch>
</Directory>
# Nginx configuration alternative
location /uploads/logos {
location ~ \.svg$ {
deny all;
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
