We’re taking on a small number of new builds and rebuilds this quarter. Book a call to see if your project is a fit.

CVE CVE-2025-67084

CVE-2025-67084

PHP

Severity: CRITICAL
CVSS: 9.9CVSS
Published: 2026-01-15
Last modified: 2026-01-22
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CWE: CWE-616

Description

File upload vulnerability in InvoicePlane through 1.6.3 allows authenticated attackers to upload arbitrary PHP files into attachments, which can later be executed remotely, leading to Remote Code Execution (RCE).

References

https://github.com/InvoicePlane/InvoicePlane
https://www.helx.io/blog/advisory-invoice-plane/

Summary

Description

References