Invoiceplane

Invoiceplane

29 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
7.5

CVE-2026-23491

Exploit
  • EPSS 0.18%
  • Veröffentlicht 18.02.2026 19:52:26
  • Zuletzt bearbeitet 25.02.2026 17:25:38

InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A path traversal vulnerability exists in the `get_file` method of the `Guest` module's `Get` controller in InvoicePlane up to and including through 1....

9.9

CVE-2025-67084

Exploit
  • EPSS 0.06%
  • Veröffentlicht 15.01.2026 15:15:51
  • Zuletzt bearbeitet 22.01.2026 16:03:34

File upload vulnerability in InvoicePlane through 1.6.3 allows authenticated attackers to upload arbitrary PHP files into attachments, which can later be executed remotely, leading to Remote Code Execution (RCE).

5.3

CVE-2025-67083

Exploit
  • EPSS 0.07%
  • Veröffentlicht 15.01.2026 15:15:51
  • Zuletzt bearbeitet 22.01.2026 16:03:54

Directory traversal vulnerability in InvoicePlane through 1.6.3 allows unauthenticated attackers to read files from the server. The ability to read files and the file type depends on the web server and its configuration.

6.5

CVE-2025-67082

Exploit
  • EPSS 0.03%
  • Veröffentlicht 15.01.2026 15:15:51
  • Zuletzt bearbeitet 22.01.2026 16:04:15

An SQL injection vulnerability in InvoicePlane through 1.6.3 has been identified in "maxQuantity" and "minQuantity" parameters when generating a report. An authenticated attacker can exploit this issue via error-based SQL injection, allowing for the ...

4.3

CVE-2025-64012

Exploit
  • EPSS 0.04%
  • Veröffentlicht 16.12.2025 00:00:00
  • Zuletzt bearbeitet 31.12.2025 00:39:06

InvoicePlane commit debb446c is vulnerable to Incorrect Access Control. The invoices/view handler fails to verify ownership before returning invoice data.

9.8

CVE-2024-56975

  • EPSS 2.28%
  • Veröffentlicht 28.03.2025 00:00:00
  • Zuletzt bearbeitet 14.04.2025 16:50:35

InvoicePlane (all versions tested as of December 2024) v.1.6.11 and before contains a remote code execution vulnerability in the upload_file method of the Upload controller.

5.9

CVE-2024-12667

  • EPSS 0.23%
  • Veröffentlicht 16.12.2024 20:15:09
  • Zuletzt bearbeitet 19.12.2024 15:10:22

A vulnerability was found in InvoicePlane up to 1.6.1 and classified as problematic. Affected by this issue is some unknown functionality of the file /invoices/view. The manipulation leads to session expiration. The attack may be launched remotely. T...

8.8

CVE-2024-12478

  • EPSS 0.01%
  • Veröffentlicht 16.12.2024 11:15:04
  • Zuletzt bearbeitet 15.10.2025 17:46:52

A vulnerability was found in InvoicePlane up to 1.6.1. It has been declared as critical. This vulnerability affects the function upload_file of the file /index.php/upload/upload_file/1/1. The manipulation of the argument file leads to unrestricted up...

5.3

CVE-2024-12362

  • EPSS 0.2%
  • Veröffentlicht 16.12.2024 10:15:05
  • Zuletzt bearbeitet 15.10.2025 17:42:53

A vulnerability was found in InvoicePlane up to 1.6.1. It has been classified as problematic. This affects the function download of the file invoices.php. The manipulation of the argument invoice leads to path traversal. It is possible to initiate th...

6.1

CVE-2023-23011

Exploit
  • EPSS 0.23%
  • Veröffentlicht 07.02.2023 23:15:09
  • Zuletzt bearbeitet 25.03.2025 15:15:18

Cross Site Scripting (XSS) vulnerability in InvoicePlane 1.6 via filter_product input to file modal_product_lookups.php.