Plattform
php
Komponente
invoiceplane
Behoben in
1.7.1
CVE-2026-25548 is a critical Remote Code Execution (RCE) vulnerability affecting InvoicePlane versions up to 1.7.0. This vulnerability allows an authenticated administrator to execute arbitrary system commands on the server, potentially leading to complete system compromise. The vulnerability stems from a chained Local File Inclusion (LFI) and Log Poisoning attack. A patch, version 1.7.1, has been released to address this issue.
The impact of CVE-2026-25548 is severe. A successful exploit allows an attacker, with administrator privileges, to gain complete control over the InvoicePlane server. This includes the ability to read, modify, and delete any data accessible to the web server user. Sensitive financial data, client information, and potentially database credentials are all at risk. Lateral movement within the network is possible if the server has access to other systems. The blast radius extends to all data stored and processed by the InvoicePlane instance, and potentially beyond if the compromised server is used as a launchpad for further attacks.
CVE-2026-25548 was publicly disclosed on 2026-02-18. While no active exploitation campaigns have been publicly confirmed, the vulnerability's critical severity and ease of exploitation make it a high-priority target. Public proof-of-concept (PoC) code is likely to emerge, increasing the risk of exploitation. The vulnerability is not currently listed on CISA KEV, but its severity warrants close monitoring.
Organizations using InvoicePlane for invoice management, particularly those with self-hosted deployments and administrator accounts that are not adequately secured, are at significant risk. Shared hosting environments where multiple users share the same server instance are also particularly vulnerable, as a compromise of one user's InvoicePlane installation could potentially affect others.
• linux / server:
journalctl -u invoiceplane | grep -i "php code injection"• generic web:
curl -I http://your-invoiceplane-server.com/public_invoice_template | grep -i "Content-Type: text/plain"• php: Check the InvoicePlane configuration files for any unusual or unexpected entries in the publicinvoicetemplate setting. Look for suspicious file paths or attempts to include external files.
disclosure
Exploit-Status
EPSS
0.14% (34% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-25548 is to immediately upgrade InvoicePlane to version 1.7.1 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds. Restrict file upload permissions to prevent malicious file uploads. Implement strict input validation and sanitization to prevent LFI and log injection attacks. Web Application Firewalls (WAFs) can be configured to detect and block attempts to exploit this vulnerability by monitoring for suspicious file inclusion patterns. After upgrading, confirm the fix by attempting to trigger the vulnerable functionality with a known malicious payload and verifying that it is blocked.
Aktualisieren Sie InvoicePlane auf Version 1.7.1 oder höher. Diese Version behebt die Remote Code Execution Schwachstelle. Das Update kann durchgeführt werden, indem die neueste Version von der offiziellen Webseite heruntergeladen oder das integrierte Update-System verwendet wird, falls verfügbar.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-25548 is a critical Remote Code Execution vulnerability in InvoicePlane versions 1.7.0 and earlier, allowing an authenticated admin to execute system commands via a chained LFI/Log Poisoning attack.
Yes, if you are running InvoicePlane version 1.7.0 or earlier, you are affected by this vulnerability. Upgrade to version 1.7.1 immediately.
The recommended fix is to upgrade InvoicePlane to version 1.7.1 or later. If immediate upgrade is not possible, implement temporary workarounds like restricting access to the publicinvoicetemplate setting.
While no active exploitation has been confirmed publicly, the vulnerability's ease of exploitation suggests it is likely to be targeted. Proactive patching is essential.
Refer to the InvoicePlane security advisory for detailed information and updates: [https://invoiceplane.com/security/](https://invoiceplane.com/security/)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.