CVE-2026-25548 Overview
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A critical Remote Code Execution (RCE) vulnerability exists in InvoicePlane 1.7.0 through a chained Local File Inclusion (LFI) and Log Poisoning attack. An authenticated administrator can execute arbitrary system commands on the server by manipulating the public_invoice_template setting to include poisoned log files containing PHP code. Version 1.7.1 patches the issue.
Critical Impact
Authenticated administrators can achieve full remote code execution on the server by chaining LFI with log poisoning, potentially leading to complete system compromise.
Affected Products
- InvoicePlane version 1.7.0
- Self-hosted InvoicePlane deployments with administrator access
- Systems where log files are accessible via the web server process
Discovery Timeline
- 2026-02-18 - CVE CVE-2026-25548 published to NVD
- 2026-02-19 - Last updated in NVD database
Technical Details for CVE-2026-25548
Vulnerability Analysis
This vulnerability (CWE-94: Improper Control of Generation of Code) enables Remote Code Execution through a sophisticated attack chain combining Local File Inclusion with Log Poisoning techniques. The attack requires administrator-level authentication, but once achieved, grants the attacker complete control over the underlying server.
The vulnerability exists in how InvoicePlane handles the public_invoice_template setting. Instead of properly validating and sanitizing this input parameter, the application allows path traversal sequences that can be exploited to include arbitrary files from the filesystem, including log files that the attacker has previously poisoned with malicious PHP code.
Root Cause
The root cause lies in insufficient input validation within the application's template handling mechanism. The public_invoice_template configuration setting accepts user-controlled input that is subsequently used in file inclusion operations without adequate sanitization. This allows an authenticated administrator to specify paths outside the intended template directory, ultimately including log files that contain attacker-controlled content.
Attack Vector
The attack vector is network-based and requires authentication with administrator privileges. The exploitation occurs in two phases:
Log Poisoning Phase: The attacker injects malicious PHP code into application log files through crafted requests, user-agent strings, or other logged parameters.
Local File Inclusion Phase: The attacker modifies the public_invoice_template setting to point to the poisoned log file, causing the server to parse and execute the embedded PHP code.
The following code shows the security patch applied in version 1.7.1:
public function run($config = null, &$data = null)
{
- if (is_object($config)) {
- $this->CI = &$config;
- }
+ (is_object($config)) && $this->CI = &$config;
return parent::run($data);
}
Source: GitHub Commit Details
Additionally, the patch updated the CodeIgniter framework dependency:
* This variable must contain the name of your "system" directory.
* Set the path if it is not in the same directory as this file.
*/
-$system_path = 'vendor/codeigniter/framework/system';
+$system_path = 'vendor/pocketarc/codeigniter/system';
/*
*---------------------------------------------------------------
Source: GitHub Commit Details
Detection Methods for CVE-2026-25548
Indicators of Compromise
- Unusual modifications to the public_invoice_template configuration setting containing path traversal sequences (e.g., ../, ..%2f)
- Log files containing PHP code patterns such as <?php, system(, exec(, or passthru(
- Unexpected administrator account access or configuration changes
- Web server access logs showing requests with suspicious payloads in User-Agent or other headers
Detection Strategies
- Monitor application configuration changes, specifically tracking any modifications to template-related settings
- Implement file integrity monitoring on log directories to detect injection of executable code patterns
- Review web server access logs for path traversal attempts targeting the template configuration endpoint
- Deploy web application firewall (WAF) rules to detect and block LFI and log poisoning attack patterns
Monitoring Recommendations
- Enable detailed logging for all administrative actions within InvoicePlane
- Configure alerts for configuration changes that include file path references or special characters
- Monitor server processes spawned by the web server user for unexpected command execution
- Implement anomaly detection for unusual file access patterns in the application directory structure
How to Mitigate CVE-2026-25548
Immediate Actions Required
- Upgrade InvoicePlane to version 1.7.1 or later immediately
- Audit administrator account access and review recent configuration changes
- Examine log files for signs of PHP code injection attempts
- Restrict network access to the InvoicePlane administrative interface to trusted IP addresses only
Patch Information
InvoicePlane has released version 1.7.1 which addresses this vulnerability. The patch is available via the official GitHub commit. Additional details about the vulnerability and fix can be found in the GitHub Security Advisory.
Workarounds
- Implement strict input validation on the public_invoice_template setting at the web server or WAF level to block path traversal sequences
- Configure the web server to deny access to log files and restrict file inclusion to the designated template directory
- Enforce principle of least privilege by limiting administrator account access and enabling multi-factor authentication
- Place InvoicePlane behind a reverse proxy with additional security controls to filter malicious requests
# Example Apache configuration to restrict file inclusion
<Directory "/var/www/invoiceplane">
Options -Indexes -FollowSymLinks
AllowOverride None
# Block access to log files
<FilesMatch "\.(log|txt)$">
Require all denied
</FilesMatch>
</Directory>
# Block path traversal in URLs
RewriteEngine On
RewriteCond %{QUERY_STRING} (\.\./|\.\.%2f) [NC,OR]
RewriteCond %{REQUEST_URI} (\.\./|\.\.%2f) [NC]
RewriteRule .* - [F,L]
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
