CVE-2026-46622
SolidInvoice: API tokens stored as plaintext in the database allowing full credential compromise on database breach
CVSS Score
8.1
EPSS Score
0.0%
EPSS Percentile
0th
SolidInvoice is an open-source invoicing platform. Prior to version 2.3.17, API tokens used to authenticate all REST API requests are stored as plaintext strings in the api_tokens database table. Any attacker who obtains read access to the database โ through SQL injection, a leaked backup, a misconfigured replica, or insider access โ immediately obtains all API credentials for every user with no further effort. This issue has been patched in version 2.3.17.
| CWE | CWE-312 |
| Vendor | solidinvoice |
| Product | solidinvoice |
| Published | Jun 11, 2026 |
Stay Ahead of the Next One
Get instant alerts for solidinvoice solidinvoice
Be the first to know when new high vulnerabilities affecting solidinvoice solidinvoice are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None
Affected Versions
SolidInvoice / SolidInvoice
< 2.3.17