CVE-2026-23491 CRITICAL

CVE-2026-23491: InvoicePlane has Unauthenticated Path Traversal in Guest Controller

Vendor Invoiceplane
Product InvoicePlane
Weakness CWE-22 · Path traversal
Published February 18, 2026
Last update February 25, 2026

CVSS base score

9.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H

What the vulnerability does

01Description

InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A path traversal vulnerability exists in the `get_file` method of the `Guest` module's `Get` controller in InvoicePlane up to and including through 1.6.3. The vulnerability allows unauthenticated attackers to read arbitrary files on the server by manipulating the input filename. This leads to the disclosure of sensitive information, including configuration files with database credentials. Version 1.6.4 fixes the issue.

Key dates

02Disclosure timeline

February 18, 2026 CVE published
February 25, 2026 Record updated