Primary

Context

InvoicePlane Remote Code Execution Vulnerability in File Upload Function

Vulnerability

Patched

A remote code execution vulnerability has been identified in InvoicePlane versions through 1.6.11. The issue arises in the upload_file method of the Upload controller, where improper handling of file uploads allows for the execution of arbitrary code.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where InvoicePlane is hosted.

Reproduction

To reproduce this vulnerability, upload a file through the application's file upload feature. The uploaded file should be crafted to include malicious code. Once the file is uploaded, the malicious code will be executed on the server.

Remediation

Users are advised to update to InvoicePlane version 1.6.2 or later, where this vulnerability has been fixed.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

10.0

exploitability

8.5

remediation

7.7

relevance

0.0

threat

1.6

urgency

2.9

incentive

10.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

10.0

exploitability

8.5

remediation

7.7

relevance

0.0

threat

1.6

urgency

2.9

incentive

10.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

InvoicePlane Remote Code Execution Vulnerability in File Upload Function

Vulnerability

Impact

Reproduction

Remediation

Affected Products

InvoicePlane

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating