Platform
php
Component
invoiceplane
Fixed in
1.7.1
CVE-2026-25548 is a critical Remote Code Execution (RCE) vulnerability affecting InvoicePlane versions up to 1.7.0. This vulnerability allows an authenticated administrator to execute arbitrary system commands on the server, potentially leading to complete system compromise. The vulnerability stems from a chained Local File Inclusion (LFI) and Log Poisoning attack. A patch, version 1.7.1, has been released to address this issue.
The impact of CVE-2026-25548 is severe. A successful exploit allows an attacker, with administrator privileges, to execute arbitrary code on the InvoicePlane server. This could lead to complete system takeover, data exfiltration, modification, or deletion. Attackers could potentially gain access to sensitive financial data, client information, and other confidential records stored within the InvoicePlane system. The ability to execute arbitrary commands also opens the door for lateral movement within the network, allowing attackers to compromise other systems connected to the InvoicePlane server. This vulnerability shares similarities with other log poisoning attacks where malicious code is injected into log files and subsequently executed by the application.
CVE-2026-25548 was publicly disclosed on 2026-02-18. The vulnerability is considered high probability due to the ease of exploitation once administrator access is obtained. No public proof-of-concept (PoC) code has been released as of this writing, but the vulnerability's nature suggests that a PoC is likely to emerge. It is not currently listed on CISA KEV.
Exploit Status
EPSS
0.14% (34% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-25548 is to immediately upgrade InvoicePlane to version 1.7.1 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds. Restrict access to the publicinvoicetemplate setting and carefully validate any user input that could influence its value. Implement strict file access controls to prevent unauthorized file inclusion. Consider using a Web Application Firewall (WAF) with rules to detect and block attempts to manipulate log files or exploit LFI vulnerabilities. After upgrading to version 1.7.1, verify the fix by attempting to trigger the vulnerability and confirming that the system prevents code execution.
Update InvoicePlane to version 1.7.1 or higher. This version fixes the remote code execution vulnerability. The update can be performed by downloading the latest version from the official website or using the built-in update system, if available.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-25548 is a critical Remote Code Execution vulnerability in InvoicePlane versions 1.7.0 and earlier, allowing an authenticated admin to execute system commands via a chained LFI/Log Poisoning attack.
Yes, if you are running InvoicePlane version 1.7.0 or earlier, you are affected by this vulnerability. Upgrade to version 1.7.1 immediately.
The recommended fix is to upgrade InvoicePlane to version 1.7.1 or later. If immediate upgrade is not possible, implement temporary workarounds like restricting access to the publicinvoicetemplate setting.
While no active exploitation has been confirmed publicly, the vulnerability's ease of exploitation suggests it is likely to be targeted. Proactive patching is essential.
Refer to the InvoicePlane security advisory for detailed information and updates: [https://invoiceplane.com/security/](https://invoiceplane.com/security/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.