CVE-2026-25548
InvoicePlane · InvoicePlane
InvoicePlane versions 1.7.0 and earlier contain a critical RCE vulnerability via a chained Local File Inclusion and log poisoning attack, requiring administrative authentication.
Executive summary
A critical Remote Code Execution vulnerability in InvoicePlane allows an authenticated administrator to execute system commands through log poisoning and file inclusion.
Vulnerability
The application is vulnerable to a chained attack where an authenticated administrator manipulates the public_invoice_template setting to include poisoned log files, resulting in arbitrary code execution.
Business impact
This vulnerability allows a malicious administrator to execute arbitrary commands on the host server, leading to a complete compromise of the application environment. The CVSS score of 9.1 reflects the high severity of achieving remote code execution, which could result in data theft or total system destruction.
Remediation
Immediate Action: Upgrade to InvoicePlane version 1.7.1 or later to apply the necessary security patches.
Proactive Monitoring: Monitor server logs for attempts to inject PHP code or unusual requests directed at the public_invoice_template functionality.
Compensating Controls: Restrict administrative access to trusted personnel and ensure the web server user has limited write permissions to sensitive directories to prevent successful log poisoning.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
The vulnerability represents a critical security risk to the integrity of the InvoicePlane platform. Organizations should verify their current deployment version and proceed with an immediate upgrade to 1.7.1 to neutralize the RCE vector.