CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2025-67084

CVSS 9.9v3.1pub. 2026-01-15upd. 2026-01-22

File upload vulnerability in InvoicePlane through 1.6.3 allows authenticated attackers to upload arbitrary PHP files into attachments, which can later be executed remotely, leading to Remote Code Execution (RCE).

🤖 AI Analysis
How it works

InvoicePlane application does not properly verify the type or content of files uploaded in the attachments module. An authenticated user can upload a PHP file instead of an allowed attachment. After uploading the file to the server, an attacker can invoke it through a browser or direct HTTP request, which results in executing PHP code in the context of the web server. This way it is possible to gain full control over the server environment.

Impact

An attacker with access to an account in the application can execute arbitrary code on the server (RCE), which can lead to taking control of the system, data theft, backdoor installation, or further lateral movement in the network.

Mitigation & patch

Patches available from the vendor should be applied according to the references. Until the fix is implemented, it is recommended to restrict access to the application only to trusted users and configure the web server so that files in attachment directories are not executable (e.g., block PHP execution in the uploads directory).

Who is affected

InvoicePlane in version 1.6.3 and earlier

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
  • Invoiceplane

    APP
    Invoiceplane
    < 1.6.4
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2026-23491CRITICAL9.3PL ✓ten sam produkt

Path traversal w InvoicePlane umożliwia odczyt dowolnych plików bez uwierzytelnienia

CVE-2026-25548CRITICAL9.1PL ✓ten sam produkt

RCE w InvoicePlane 1.7.0 via LFI i Log Poisoning

CVE-2024-56975CRITICAL9.8PL ✓ten sam produkt

RCE w InvoicePlane — niebezpieczne przesyłanie plików (upload_file)

CVE-2021-29024HIGH7.5ten sam produkt

In InvoicePlane 1.5.11 a misconfigured web server allows unauthenticated directory listing and file download. ...

CVE-2017-1000238HIGH8.8ten sam produkt

InvoicePlane version 1.4.10 is vulnerable to a Arbitrary File Upload resulting in an authenticated user can up...