Nixpkgs security tracker

Untriaged

Permalink CVE-2026-26281

4.4 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): HIGH
Privileges required (PR): LOW
User interaction (UI): REQUIRED
Scope (S): CHANGED
Confidentiality impact (C): LOW
Integrity impact (I): LOW
Availability impact (A): NONE

created 2 months ago

InvoicePlane has Stored Cross-Site Scripting (XSS) Issue in Sumex Invoice View

InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A stored cross-site scripting (XSS) vulnerability in the Sumex invoice view allows an authenticated user with client and invoice management privileges to execute arbitrary JavaScript in the browser of any user viewing the invoice. This can lead to session hijacking, data theft, or other malicious actions on behalf of the victim user. Version 1.7.1 patches the issue.

References

https://github.com/InvoicePlane/InvoicePlane/security/advisories/GHSA-ccpx-2v5c-cc24 x_refsource_CONFIRM
https://github.com/InvoicePlane/InvoicePlane/commit/93622f2df88a860d89bfee56012cabb2942061d6 x_refsource_MISC

Affected products

InvoicePlane

=== 1.7.0

Matching in nixpkgs

pkgs.invoiceplane

Self-hosted open source application for managing your invoices, clients and payments

nixos-unstable 1.7.0
- nixpkgs-unstable 1.7.0
- nixos-unstable-small 1.7.0

Package maintainers

@onny Jonas Heinrich <onny@project-insanity.org>

Suggestion detail

References

Affected products

Matching in nixpkgs

pkgs.invoiceplane

Package maintainers