Description

File upload vulnerability in InvoicePlane through 1.6.3 allows authenticated attackers to upload arbitrary PHP files into attachments, which can later be executed remotely, leading to Remote Code Execution (RCE).

Related CPE's

a

invoiceplane

invoiceplane

Vulnerable

References

https://github.com/InvoicePlane/InvoicePlane

Product

https://www.helx.io/blog/advisory-invoice-plane/

ExploitThird Party Advisory

Weaknesses

134c704f-9b21-4f2e-91b3-4a467353bcc0

Secondary
CWE-616

CVSS impact metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

9.9 · Critical

Information

Source identifier

[email protected]

Vulnerability status

Analyzed

Published

2026-01-15T15:15:51.427Z

1 month ago

Last modified

2026-01-22T16:03:34.310Z

4 weeks ago