{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-30T23:45:56.519","vulnerabilities":[{"cve":{"id":"CVE-2026-25596","sourceIdentifier":"security-advisories@github.com","published":"2026-02-18T23:16:20.073","lastModified":"2026-06-17T10:24:55.457","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability exists in InvoicePlane 1.7.0 via the Product Unit Name fields. An authenticated administrator can inject malicious JavaScript that executes when any administrator views an invoice containing a product with the malicious unit. Version 1.7.1 patches the issue."},{"lang":"es","value":"InvoicePlane es una aplicación de código abierto autoalojada para gestionar facturas, clientes y pagos. Una vulnerabilidad de cross-site scripting (XSS) almacenado existe en InvoicePlane 1.7.0 a través de los campos Product Unit Name. Un administrador autenticado puede inyectar JavaScript malicioso que se ejecuta cuando cualquier administrador ve una factura que contiene un producto con la unidad maliciosa. La versión 1.7.1 soluciona el problema."}],"affected":[{"source":"security-advisories@github.com","affectedData":[{"vendor":"InvoicePlane","product":"InvoicePlane","versions":[{"version":"<= 1.7.0","status":"affected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N","baseScore":4.8,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":1.7,"impactScore":2.7}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-02-19T16:28:59.972711Z","id":"CVE-2026-25596","options":[{"exploitation":"poc"},{"automatable":"no"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-79"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:invoiceplane:invoiceplane:*:*:*:*:*:*:*:*","versionEndExcluding":"1.7.1","matchCriteriaId":"200F4F45-C04E-4F4E-9DF4-CE8D5ABEDB9F"}]}]}],"references":[{"url":"https://github.com/InvoicePlane/InvoicePlane/commit/93622f2df88a860d89bfee56012cabb2942061d6","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/InvoicePlane/InvoicePlane/security/advisories/GHSA-3wjq-822q-98f4","source":"security-advisories@github.com","tags":["Exploit","Vendor Advisory"]}]}}]}