Unrated severityNVD Advisory· Published Feb 18, 2026· Updated Feb 25, 2026
InvoicePlane has Unauthenticated Path Traversal in Guest Controller
CVE-2026-23491
Description
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A path traversal vulnerability exists in the get_file method of the Guest module's Get controller in InvoicePlane up to and including through 1.6.3. The vulnerability allows unauthenticated attackers to read arbitrary files on the server by manipulating the input filename. This leads to the disclosure of sensitive information, including configuration files with database credentials. Version 1.6.4 fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2<=1.6.3+ 1 more
- (no CPE)range: <=1.6.3
- (no CPE)range: < 1.6.4
Patches
Vulnerability mechanics
References
2- github.com/InvoicePlane/InvoicePlane/commit/add8bb798dde621f886823065ef1841986543c69mitrex_refsource_MISC
- github.com/InvoicePlane/InvoicePlane/security/advisories/GHSA-88gq-mv54-v3fcmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.