threat
engine
.sh
Back
·
··:··
Home
/
Product
/
invoiceplane
Product
invoiceplane
29 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
Sort
Newest first
Oldest first
Highest CVSS
Lowest CVSS
Min CVSS
Any
4.0+
7.0+ (High)
9.0+ (Critical)
Published since
Reset
CVE-2026-26281
all versions
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A stored cross-site scripting
4.4
MEDIUM
CVE-2026-26270
all versions
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting
5.4
MEDIUM
CVE-2026-25596
< 1.7.1
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting
4.8
MEDIUM
CVE-2026-25595
< 1.7.1
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting
4.8
MEDIUM
CVE-2026-25594
< 1.7.1
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting
4.8
MEDIUM
CVE-2026-25548
< 1.7.1
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A critical Remote Code Executi
9.1
CRITICAL
CVE-2026-24745
all versions
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting
5.7
MEDIUM
CVE-2026-24744
all versions
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting
5.7
MEDIUM
CVE-2026-24743
all versions
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting
5.7
MEDIUM
CVE-2026-24746
all versions
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting
5.7
MEDIUM
CVE-2026-23491
< 1.6.4
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A path traversal vulnerability
7.5
HIGH
CVE-2025-67084
< 1.6.4
File upload vulnerability in InvoicePlane through 1.6.3 allows authenticated attackers to upload arbitrary PHP files into attachme
9.9
CRITICAL
CVE-2025-67083
< 1.6.4
Directory traversal vulnerability in InvoicePlane through 1.6.3 allows unauthenticated attackers to read files from the server. Th
5.3
MEDIUM
CVE-2025-67082
< 1.6.4
An SQL injection vulnerability in InvoicePlane through 1.6.3 has been identified in "maxQuantity" and "minQuantity" parameters whe
6.5
MEDIUM
CVE-2025-64012
all versions
InvoicePlane commit debb446c is vulnerable to Incorrect Access Control. The invoices/view handler fails to verify ownership before
4.3
MEDIUM
CVE-2024-56975
< 1.6.2
InvoicePlane (all versions tested as of December 2024) v.1.6.11 and before contains a remote code execution vulnerability in the u
9.8
CRITICAL
CVE-2024-12667
<= 1.6.1
A vulnerability was found in InvoicePlane up to 1.6.1 and classified as problematic. Affected by this issue is some unknown functi
3.7
LOW
CVE-2024-12478
<= 1.6.1
A vulnerability was found in InvoicePlane up to 1.6.1. It has been declared as critical. This vulnerability affects the function u
6.3
MEDIUM
CVE-2024-12362
<= 1.6.1
A vulnerability was found in InvoicePlane up to 1.6.1. It has been classified as problematic. This affects the function download o
4.3
MEDIUM
CVE-2023-23011
all versions
Cross Site Scripting (XSS) vulnerability in InvoicePlane 1.6 via filter_product input to file modal_product_lookups.php.
6.1
MEDIUM
CVE-2021-29024
all versions
In InvoicePlane 1.5.11 a misconfigured web server allows unauthenticated directory listing and file download. Allowing an attacker
7.5
HIGH
CVE-2021-29023
all versions
InvoicePlane 1.5.11 doesn't have any rate-limiting for password reset and the reset token is generated using a weak mechanism that
5.3
MEDIUM
CVE-2021-29022
all versions
In InvoicePlane 1.5.11, the upload feature discloses the full path of the file upload directory.
5.3
MEDIUM
CVE-2019-7223
>= 1.5.0 and <= 1.5.9
InvoicePlane 1.5 has stored XSS via the index.php/invoices/ajax/save invoice_password parameter, aka the "PDF password" field to t
5.4
MEDIUM
CVE-2018-12255
all versions
An XSS issue was discovered in InvoicePlane 1.5.10 via the "Quote PDF Password(Optional)" field.
6.1
MEDIUM
CVE-2017-18217
< 1.5.5
An issue was discovered in InvoicePlane before 1.5.5. It was observed that the Email address and Web address parameters are vulner
6.1
MEDIUM
CVE-2017-1000508
<= 1.5.4
Invoice Plane version 1.5.4 and earlier contains a Cross Site Scripting (XSS) vulnerability in Client's details that can result in
6.1
MEDIUM
CVE-2017-1000239
all versions
InvoicePlane version 1.4.10 is vulnerable to a Stored Cross Site Scripting resulting in allowing an authenticated user to inject m
5.4
MEDIUM
CVE-2017-1000238
all versions
InvoicePlane version 1.4.10 is vulnerable to a Arbitrary File Upload resulting in an authenticated user can upload a malicious fil
8.8
HIGH
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin