CVE-2025-67082
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-15

Last updated on: 2026-01-15

Assigner: MITRE

Description
An SQL injection vulnerability in InvoicePlane through 1.6.3 has been identified in "maxQuantity" and "minQuantity" parameters when generating a report. An authenticated attacker can exploit this issue via error-based SQL injection, allowing for the extraction of arbitrary data from the database. The vulnerability arises from insufficient sanitizing of single quotes.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-15
Last Modified
2026-01-15
Generated
2026-06-16
AI Q&A
2026-01-16
EPSS Evaluated
2026-06-15
NVD
CVE-2025-67082
EUVD
EUVD-2026-2784
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
invoiceplane invoiceplane to 1.6.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an authenticated SQL injection in InvoicePlane versions up to 1.6.3. It occurs in the reporting functionality where the parameters 'minQuantity' and 'maxQuantity' are not properly sanitized before being used in SQL queries. This allows an attacker who is logged in to inject malicious SQL code via these parameters, potentially extracting arbitrary data from the database. [2]

Impact Analysis

An attacker exploiting this vulnerability can extract sensitive data from the database, and depending on their privileges, may also modify or delete data or abuse database functionality. This can lead to unauthorized disclosure of confidential information and potential disruption of the invoicing system. [2]

Detection Guidance

This vulnerability can be detected by testing the 'minQuantity' and 'maxQuantity' parameters in the reporting functionality of InvoicePlane for SQL injection. Since it requires authentication, you can attempt to inject SQL payloads (such as single quotes or error-based SQL injection strings) into these parameters and observe if the application returns database errors or unexpected data. Specific commands would involve using tools like sqlmap with authentication cookies or manual testing via curl or browser developer tools to send crafted requests to the report generation endpoint, targeting these parameters. For example, using curl to send a POST request with 'minQuantity' or 'maxQuantity' set to a single quote (') and checking for SQL errors in the response. However, no exact commands are provided in the resources. [2]

Mitigation Strategies

The immediate mitigation step is to upgrade InvoicePlane to version 1.6.4 or later, where this SQL injection vulnerability has been fixed. Until the upgrade can be performed, restrict access to the reporting functionality to trusted authenticated users only, and consider applying web application firewall (WAF) rules to detect and block SQL injection attempts targeting the 'minQuantity' and 'maxQuantity' parameters. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-67082. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart