CVE-2026-25548

CVE-2026-25548 is a critical remote code execution (RCE) vulnerability affecting InvoicePlane, a self-hosted open-source application for managing invoices, clients, and payments. The flaw, present in version 1.7.0, stems from a chained local file inclusion (LFI) and log poisoning attack vector, mapped to CWEs-94 (Code Injection), CWE-98 (PHP File Inclusion), and CWE-117 (Log Injection). It carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H), highlighting its high severity due to network accessibility, low complexity, and potential for complete confidentiality, integrity, and availability impact with a scope change.

An authenticated administrator can exploit this vulnerability by manipulating the `public_invoice_template` setting to include poisoned log files containing arbitrary PHP code. This triggers the LFI to read and execute the malicious code from the logs, allowing the attacker to run arbitrary system commands on the server. Exploitation requires high privileges but no user interaction, enabling full server compromise from a remote network position.

The InvoicePlane GitHub security advisory (GHSA-g6rw-m9mf-33ch) and patching commit (93622f2df88a860d89bfee56012cabb2942061d6) confirm that upgrading to version 1.7.1 resolves the issue by addressing the LFI and log poisoning flaws in the template handling. Security practitioners should prioritize patching affected InvoicePlane 1.7.0 installations, especially in environments with admin access controls.