CVE-2025-67084

Name of the Vulnerable Software and Affected Versions InvoicePlane versions through 1.6.3

Description A file upload issue exists in InvoicePlane that allows authenticated attackers to upload arbitrary PHP files into attachments. These uploaded files can then be executed remotely, potentially leading to Remote Code Execution (RCE). The affected API endpoint is the file upload functionality. The vulnerable parameter is the file itself, allowing the upload of malicious PHP scripts.

Recommendations Update InvoicePlane to a version later than 1.6.3.