NIXPKGS-2026-0279

GitHub issue published on 19 Feb 2026

Permalink CVE-2026-26270

updated 2 days, 12 hours ago by @LeSuisse Activity log

Created automatic suggestion 2 days, 16 hours ago
@LeSuisse accepted 2 days, 12 hours ago
@LeSuisse published on GitHub 2 days, 12 hours ago

InvoicePlane has Stored Cross-Site Scripting Issue in Identifier Formatting

InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability exists in InvoicePlane (latest version) that allows an authenticated user with permissions to manage Invoice Groups to inject malicious JavaScript into the "Identifier Format" field. This script executes when any user views the invoice list or the main dashboard. Version 1.7.1 patches the issue.

Affected products

InvoicePlane

=== 1.7.0

Matching in nixpkgs

pkgs.invoiceplane

Self-hosted open source application for managing your invoices, clients and payments

nixos-unstable 1.7.0
- nixpkgs-unstable 1.7.0
- nixos-unstable-small 1.7.0

Package maintainers

@onny Jonas Heinrich <onny@project-insanity.org>

Upstream advisory: https://github.com/InvoicePlane/InvoicePlane/security/advisories/GHSA-432m-jv69-qp5j

Nixpkgs Security Tracker

Details of issue NIXPKGS-2026-0279

Affected products

Matching in nixpkgs

pkgs.invoiceplane

Package maintainers