PT-2026-3026 · Unknown · Invoiceplane
Published
2026-01-15
·
Updated
2026-01-17
·
CVE-2025-67082
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
InvoicePlane versions through 1.6.3
Description
An SQL injection issue exists in InvoicePlane. The problem is found in the
maxQuantity and minQuantity parameters when generating a report. A user with valid credentials can exploit this by using error-based SQL injection to retrieve data from the database. This is due to inadequate sanitization of single quotes.Recommendations
Update InvoicePlane to a version later than 1.6.3.
Exploit
Fix
SQL injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Invoiceplane