Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.3
InvoicePlane Allows Attackers to Read Server Files
CVE-2026-23491
Summary
InvoicePlane's file management system has a weakness that lets attackers read sensitive files on the server without permission. This could lead to the exposure of important information like database passwords. Upgrade to version 1.6.4 to fix this issue.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| invoiceplane | invoiceplane | <= 1.6.4 | – |
Original title
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A path traversal vulnerability exists in the `get_file` method of the `Guest` module's `Get` cont...
Original description
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A path traversal vulnerability exists in the `get_file` method of the `Guest` module's `Get` controller in InvoicePlane up to and including through 1.6.3. The vulnerability allows unauthenticated attackers to read arbitrary files on the server by manipulating the input filename. This leads to the disclosure of sensitive information, including configuration files with database credentials. Version 1.6.4 fixes the issue.
nvd CVSS3.1
7.5
nvd CVSS4.0
9.3
Vulnerability type
CWE-22
Path Traversal
Published: 18 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026