CVE-2026-23491

  1. Yack CVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-23491

7.5 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

I

nvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A path traversal vulnerability exists in the `get_file` method of the `Guest` module's `Get` controller in InvoicePlane up to and including through 1.6.3. The vulnerability allows unauthenticated attackers to read arbitrary files on the server by manipulating the input filename. This leads to the disclosure of sensitive information, including configuration files with database credentials. Version 1.6.4 fixes the issue.

References
Link Resource
https://github.com/InvoicePlane/InvoicePlane/commit/add8bb798dde621f886823065ef1841986543c69 Patch
https://github.com/InvoicePlane/InvoicePlane/security/advisories/GHSA-88gq-mv54-v3fc Exploit Vendor Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:invoiceplane:invoiceplane:*:*:*:*:*:*:*:*
History

25 Feb 2026, 17:25

Type Values Removed Values Added
Summary (en) InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. a path traversal vulnerability exists in the `get_file` method of the `Guest` module's `Get` controller in InvoicePlane up to and including through 1.6.3. The vulnerability allows unauthenticated attackers to read arbitrary files on the server by manipulating the input filename. This leads to the disclosure of sensitive information, including configuration files with database credentials. Version 1.6.4 fixes the issue. (en) InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A path traversal vulnerability exists in the `get_file` method of the `Guest` module's `Get` controller in InvoicePlane up to and including through 1.6.3. The vulnerability allows unauthenticated attackers to read arbitrary files on the server by manipulating the input filename. This leads to the disclosure of sensitive information, including configuration files with database credentials. Version 1.6.4 fixes the issue.

20 Feb 2026, 17:36

Type Values Removed Values Added
First Time Invoiceplane invoiceplane
Invoiceplane
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 7.5
References () https://github.com/InvoicePlane/InvoicePlane/commit/add8bb798dde621f886823065ef1841986543c69 - () https://github.com/InvoicePlane/InvoicePlane/commit/add8bb798dde621f886823065ef1841986543c69 - Patch
References () https://github.com/InvoicePlane/InvoicePlane/security/advisories/GHSA-88gq-mv54-v3fc - () https://github.com/InvoicePlane/InvoicePlane/security/advisories/GHSA-88gq-mv54-v3fc - Exploit, Vendor Advisory
CPE cpe:2.3:a:invoiceplane:invoiceplane:*:*:*:*:*:*:*:*

18 Feb 2026, 20:18

Type Values Removed Values Added
New CVE
Information

Published : 2026-02-18 20:18

Updated : 2026-02-25 17:25

NVD link : CVE-2026-23491

Mitre link : CVE-2026-23491

CVE.ORG link : CVE-2026-23491

JSON object : View

Products Affected

invoiceplane

CWE
CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')