CVE-2026-23491
InvoicePlane has Unauthenticated Path Traversal in Guest Controller
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A path traversal vulnerability exists in the `get_file` method of the `Guest` module's `Get` controller in InvoicePlane up to and including through 1.6.3. The vulnerability allows unauthenticated attackers to read arbitrary files on the server by manipulating the input filename. This leads to the disclosure of sensitive information, including configuration files with database credentials. Version 1.6.4 fixes the issue.
| CWE | CWE-22 |
| Vendor | invoiceplane |
| Product | invoiceplane |
| Published | Feb 18, 2026 |
| Last Updated | Feb 25, 2026 |
Stay Ahead of the Next One
Get instant alerts for invoiceplane invoiceplane
Be the first to know when new unknown vulnerabilities affecting invoiceplane invoiceplane are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
InvoicePlane / InvoicePlane
< 1.6.4