CVE-2025-67084

Medium

Low Medium High Critical

6.5

CVSS Score

Published: Jan 15, 2026

Last Modified: Jan 15, 2026

Vulnerability Description

File upload vulnerability in InvoicePlane through 1.6.3 allows authenticated attackers to upload arbitrary PHP files into attachments, which can later be executed remotely, leading to Remote Code Execution (RCE).

CVSS Metrics

Common Vulnerability Scoring System

Vector String:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

References & Resources

https://github.com/InvoicePlane/InvoicePlane
cve@mitre.org
https://www.helx.io/blog/advisory-invoice-plane/
cve@mitre.org

Severity Details

6.5

out of 10.0

Medium

Key Information

Published Date: January 15, 2026

External Resources

NIST NVD

National Vulnerability Database

CVE Details

Detailed vulnerability info

MITRE CVE

Official CVE record

CVE Vulnerabilities

Posts & Pages