CVE-2026-25548 in InvoicePlane
Summary
by MITRE • 02/19/2026
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A critical Remote Code Execution (RCE) vulnerability exists in InvoicePlane 1.7.0 through a chained Local File Inclusion (LFI) and Log Poisoning attack. An authenticated administrator can execute arbitrary system commands on the server by manipulating the `public_invoice_template` setting to include poisoned log files containing PHP code. Version 1.7.1 patches the issue.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 02/21/2026
The vulnerability CVE-2026-25548 represents a critical remote code execution flaw in InvoicePlane version 1.7.0 that demonstrates the dangerous combination of local file inclusion and log poisoning techniques. This vulnerability specifically targets the application's handling of the `public_invoice_template` setting, which creates a dangerous attack vector for authenticated administrators. The flaw operates through a sophisticated chain where an attacker first manipulates the application's configuration to include malicious log files, then executes arbitrary PHP code through these poisoned log entries. The vulnerability's severity stems from its requirement for only authenticated administrative access, making it particularly dangerous in environments where admin credentials might be compromised or where privilege escalation occurs through other means.
The technical implementation of this vulnerability follows a specific attack pattern that aligns with CWE-98 and CWE-94 categories, representing both local file inclusion and code injection flaws. The attack chain begins with an authenticated administrator modifying the `public_invoice_template` setting to point to a log file that contains malicious PHP code. When the application processes this template, it includes the log file content, executing the PHP code within the context of the web server. The log poisoning aspect occurs because InvoicePlane writes application logs that can be manipulated by an attacker with write access to the logging mechanism. This approach allows attackers to bypass typical input validation checks since the malicious code is embedded within legitimate log files that the application processes during normal operation.
The operational impact of CVE-2026-25548 extends far beyond simple code execution, as it provides complete system compromise capabilities for authenticated administrators. Attackers can leverage this vulnerability to install backdoors, exfiltrate sensitive financial data, modify invoice records, and potentially escalate their access to other systems within the network. The vulnerability affects the core functionality of InvoicePlane's template system, which is essential for generating invoices and managing client data. Given that InvoicePlane is a self-hosted application, the attack surface includes not just the application itself but also the underlying server infrastructure, potentially exposing database credentials, system files, and other sensitive information. The chaining of LFI with log poisoning makes this attack particularly stealthy since the malicious code execution occurs through legitimate application processes rather than direct code injection.
Security professionals should prioritize immediate patching of all InvoicePlane installations running version 1.7.0 to address this vulnerability. The remediation process requires updating to version 1.7.1, which implements proper input validation and sanitization for template settings. Organizations should also implement network monitoring to detect unusual log file modifications and template changes that might indicate exploitation attempts. The vulnerability's classification under ATT&CK technique T1059.007 (Command and Scripting Interpreter: PowerShell) and T1078.004 (Valid Accounts: Cloud Accounts) highlights the need for comprehensive access control measures and privileged account monitoring. Additional mitigations include implementing web application firewalls to detect and block malicious template manipulations, restricting file permissions on log directories, and conducting regular security audits of application configuration settings. The vulnerability serves as a reminder of the importance of proper input validation and the dangers of allowing user-controlled data to influence file inclusion operations in web applications.