## Critical Vulnerability Information ### Vulnerability Details - **CVE ID**: CVE-2026-25548 - **CVSS 3.1 Score**: 9.1 (Critical) - **Affected Versions**: <=1.7.0 - **Patched Versions**: None ### Vulnerability Description This vulnerability exists in InvoicePlane versions 1.7.0 and earlier, exploiting a combination of Local File Inclusion (LFI) and Log Poisoning attacks to achieve Remote Code Execution (RCE). An authenticated administrator can manipulate the `public_invoice_template` setting to include a log file containing malicious PHP code, thereby executing arbitrary system commands. ### Vulnerability Details #### 1. Local File Inclusion (CWE-98) - **File**: `application/modules/guest/controllers/view.php` (lines 85, 191) - **Issue**: The `public_invoice_template` setting is directly concatenated into the view path without validation, allowing path traversal to include any `.php` file on the system. #### 2. Log Poisoning (CWE-117 + CWE-94) - **File**: `application/modules/upload/controllers/Upload.php` (line 182) - **Issue**: During file upload, filenames containing path traversal characters are logged without sanitization, enabling attackers to inject PHP code via filenames. ### Attack Flow 1. Upload a file containing malicious PHP code. 2. The filename is logged into `application/logs/log-YYYY-MM-DD.php`. 3. Modify the `public_invoice_template` setting to point to the log file. 4. Access the public invoice URL to trigger inclusion of the log file. 5. The injected PHP code executes with Web server privileges. ### Impact - All installations of InvoicePlane 1.7.0 and potentially earlier versions. - Any organization using InvoicePlane with at least one administrator account. ### Impact Severity | Metric | Rating | Description | |------------------|--------|-----------------------------------------------------------------------------| | Confidentiality | HIGH | Full read access to all server files, database credentials, and customer data | | Integrity | HIGH | Arbitrary file modification, database operations, backdoor installation | | Availability | HIGH | Complete system compromise, potentially leading to ransomware or data destruction | ### Attack Requirements - Authenticated administrator access. - Knowledge of a valid invoice URL key (or ability to create invoices). ### Scope - The vulnerability allows escape from the web application context to the underlying operating system, enabling full server compromise.