CVE-2025-67084
Published: 15 January 2026
Summary
CVE-2025-67084 is a critical-severity PHP (CWE-616) vulnerability in Invoiceplane Invoiceplane. Its CVSS base score is 9.9 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly validates file uploads to reject arbitrary PHP files, preventing their storage and subsequent remote execution in InvoicePlane.
Requires timely patching of the InvoicePlane flaw enabling unrestricted PHP file uploads, eliminating the vulnerability root cause.
Deploys malicious code protection at upload entry points to scan and eradicate executable PHP files before they can be stored or triggered.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct file upload of executable PHP enables web shell deployment (T1505.003) after exploitation of the public-facing web app (T1190).
NVD Description
File upload vulnerability in InvoicePlane through 1.6.3 allows authenticated attackers to upload arbitrary PHP files into attachments, which can later be executed remotely, leading to Remote Code Execution (RCE).
Deeper analysisAI
CVE-2025-67084 is a file upload vulnerability in InvoicePlane through version 1.6.3 that allows authenticated attackers to upload arbitrary PHP files into the attachments directory, enabling remote code execution (RCE) when those files are later accessed. This issue is classified under CWE-616 and carries a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H), reflecting its critical severity due to network accessibility, low attack complexity, and broad impact across confidentiality, integrity, and availability.
The vulnerability can be exploited by any authenticated user with low privileges over the network, requiring no user interaction. Successful exploitation allows attackers to execute arbitrary code on the server by uploading malicious PHP files that are stored and then remotely triggered, potentially leading to full server compromise given the changed scope and high impact metrics.
Mitigation guidance is available in advisories such as the Helx.io security advisory at https://www.helx.io/blog/advisory-invoice-plane/ and the InvoicePlane GitHub repository at https://github.com/InvoicePlane/InvoicePlane. The CVE was published on 2026-01-15T15:15:51.427.
Details
- CWE(s)