CVE-2025-67084

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-67084

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-67084.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-67084

Published

2026-01-15T15:15:51.427Z

Modified

2026-03-13T03:41:59.234016Z

Severity

9.9 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

File upload vulnerability in InvoicePlane through 1.6.3 allows authenticated attackers to upload arbitrary PHP files into attachments, which can later be executed remotely, leading to Remote Code Execution (RCE).

References

Affected packages

Git / github.com/invoiceplane/invoiceplane

Affected ranges

Type

GIT

Repo

https://github.com/invoiceplane/invoiceplane

Events

Introduced

Fixed

add8bb798dde621f886823065ef1841986543c69

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.6.4"
        }
    ]
}

Affected versions

0.*

0.9beta

v1.*

v1.0.0

v1.0.1

v1.0.2

v1.1.0

v1.1.1

v1.1.2

v1.2.0

v1.2.1

v1.3.0

v1.3.1

v1.3.2

v1.3.3

v1.4.0

v1.4.1

v1.4.10

v1.4.2

v1.4.3

v1.4.4

v1.4.5

v1.4.6

v1.4.7

v1.4.8

v1.4.9

v1.5.0

v1.5.0-beta.1

v1.5.0-beta.2

v1.5.0-beta.3

v1.5.0-beta.4

v1.5.1

v1.5.10

v1.5.11

v1.5.2

v1.5.3

v1.5.4

v1.5.5

v1.5.6

v1.5.7

v1.5.8

v1.5.9

v1.6-beta

v1.6-beta-1

v1.6-beta-2

v1.6-beta-3

v1.6.0

v1.6.1

v1.6.1-alpha-1

v1.6.1-beta-1

v1.6.1-beta-2

v1.6.1-beta-3

v1.6.2

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-67084.json"