Primary

Context

InvoicePlane File Upload Vulnerability Allowing Remote Code Execution

Vulnerability

Patched

A file upload vulnerability has been identified in InvoicePlane versions through 1.6.3. This vulnerability allows authenticated users to upload arbitrary PHP files via the attachment feature. Once uploaded, these files can be executed remotely, leading to remote code execution.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where InvoicePlane is hosted.

Reproduction

To reproduce this vulnerability, an authenticated user can upload a PHP file through the attachment upload functionality. The upload handler performs a partial MIME type check, but it is possible to bypass this by declaring a benign MIME type such as text/plain. Once the PHP file is uploaded, it can be accessed and executed on the server, allowing for arbitrary code execution in the context of the web application.

Remediation

Users can update to InvoicePlane version 1.6.4 to address this vulnerability.

Added: Jan 15, 2026, 3:20 PM

Updated: Jan 15, 2026, 5:33 PM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

10.0

exploitability

6.3

remediation

7.7

relevance

2.1

threat

4.8

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

10.0

exploitability

6.3

remediation

7.7

relevance

2.1

threat

4.8

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

InvoicePlane File Upload Vulnerability Allowing Remote Code Execution

Vulnerability

Impact

Reproduction

Remediation

Affected Products

InvoicePlane

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating