CVE-2026-26270 Overview
A Stored Cross-Site Scripting (XSS) vulnerability has been identified in InvoicePlane, a self-hosted open source application for managing invoices, clients, and payments. This vulnerability allows an authenticated user with permissions to manage Invoice Groups to inject malicious JavaScript into the "Identifier Format" field. The injected script executes when any user views the invoice list or the main dashboard, potentially compromising session data and enabling further attacks.
Critical Impact
Authenticated attackers can inject persistent malicious JavaScript that executes in the context of other users' sessions, potentially leading to session hijacking, credential theft, or unauthorized actions on behalf of victims.
Affected Products
- InvoicePlane versions prior to 1.7.1
- Self-hosted InvoicePlane installations with Invoice Group management enabled
- Deployments where multiple users have access to the dashboard and invoice lists
Discovery Timeline
- 2026-02-18 - CVE-2026-26270 published to NVD
- 2026-02-19 - Last updated in NVD database
Technical Details for CVE-2026-26270
Vulnerability Analysis
This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), commonly known as Cross-Site Scripting. The flaw exists in the Invoice Groups management functionality where user-supplied input in the "Identifier Format" field is not properly sanitized before being rendered in the web interface. When an authenticated user with Invoice Group management permissions injects malicious JavaScript payload into this field, the script is stored in the database and subsequently executed in the browsers of all users who view the invoice list or main dashboard.
The attack requires network access and a low-privileged authenticated account with specific permissions. While user interaction is required (viewing the affected pages), the changed scope means the vulnerability can impact resources beyond the vulnerable component, affecting other users' sessions and potentially the broader application context.
Root Cause
The root cause of this vulnerability stems from insufficient input validation and output encoding in the InvoicePlane application. The "Identifier Format" field accepts and stores arbitrary user input without proper sanitization, and this data is subsequently rendered in HTML contexts without appropriate encoding. The CodeIgniter framework's form validation library, as shown in the patch, required updates to properly handle input validation workflows.
Attack Vector
The attack is network-based and requires an authenticated attacker with Invoice Group management permissions. The attacker crafts a malicious JavaScript payload and submits it through the Invoice Groups configuration interface. Once stored, the payload executes automatically when any user—including administrators—views pages that render the Invoice Group identifier format, such as the invoice list or main dashboard.
The following patch was applied to address form validation handling:
public function run($config = null, &$data = null)
{
- if (is_object($config)) {
- $this->CI = &$config;
- }
+ (is_object($config)) && $this->CI = &$config;
return parent::run($data);
}
Source: GitHub Commit Update
Additionally, the framework dependency was updated to use a different CodeIgniter fork with security improvements:
* This variable must contain the name of your "system" directory.
* Set the path if it is not in the same directory as this file.
*/
-$system_path = 'vendor/codeigniter/framework/system';
+$system_path = 'vendor/pocketarc/codeigniter/system';
/*
*---------------------------------------------------------------
Source: GitHub Commit Update
Detection Methods for CVE-2026-26270
Indicators of Compromise
- Unusual JavaScript code patterns in Invoice Group "Identifier Format" fields, particularly those containing <script> tags or event handlers
- Suspicious modifications to Invoice Group configurations by users without legitimate business need
- Browser console errors or unexpected network requests originating from dashboard or invoice list pages
- Audit log entries showing repeated access or modifications to Invoice Group settings
Detection Strategies
- Implement web application firewall (WAF) rules to detect and block XSS payloads in POST requests to Invoice Group management endpoints
- Deploy Content Security Policy (CSP) headers to restrict script execution sources and report policy violations
- Monitor application logs for suspicious patterns in the "Identifier Format" field values
- Use browser-based XSS detection tools during security assessments to identify stored payload execution
Monitoring Recommendations
- Enable and review InvoicePlane audit logs for Invoice Group configuration changes
- Configure centralized logging to capture HTTP requests to administrative endpoints
- Implement real-time alerting for CSP violation reports indicating potential XSS attempts
- Regularly audit user permissions to ensure Invoice Group management access follows least privilege principles
How to Mitigate CVE-2026-26270
Immediate Actions Required
- Upgrade InvoicePlane to version 1.7.1 or later immediately
- Review existing Invoice Group configurations for suspicious JavaScript content in the "Identifier Format" field
- Audit user accounts with Invoice Group management permissions and revoke unnecessary access
- Implement Content Security Policy headers as a defense-in-depth measure
Patch Information
InvoicePlane version 1.7.1 addresses this vulnerability by improving input validation and updating the underlying CodeIgniter framework dependency. The patch is available through the official InvoicePlane repository. Organizations should apply commit 93622f2df88a860d89bfee56012cabb2942061d6 or upgrade to version 1.7.1 or later.
For detailed patch information, refer to the GitHub Security Advisory GHSA-432m.
Workarounds
- Restrict Invoice Group management permissions to only trusted administrators until the patch can be applied
- Implement a Web Application Firewall (WAF) with XSS filtering rules as a temporary mitigation
- Deploy Content Security Policy headers to limit script execution: Content-Security-Policy: script-src 'self'
- Manually sanitize existing Invoice Group "Identifier Format" values by removing any HTML or JavaScript content
# Configuration example for Apache/Nginx CSP header as temporary mitigation
# Apache (.htaccess or virtual host config)
Header set Content-Security-Policy "script-src 'self'; object-src 'none';"
# Nginx (server or location block)
add_header Content-Security-Policy "script-src 'self'; object-src 'none';" always;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
