← back
CVE-2025-67084

CVE-2025-67084

CVSS 9.9 CRITICALEPSS 0.4%CWE-616
Vexday Risk Score
28Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 9.9EPSS 0.4%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
15 Jan 2026Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
File upload vulnerability in InvoicePlane through 1.6.3 allows authenticated attackers to upload arbitrary PHP files into attachments, which can later be executed remotely, leading to Remote Code Execution (RCE).
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Affected products
n/a · n/a

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/InvoicePlane/InvoicePlanehttps://www.helx.io/blog/advisory-invoice-plane/