Unrated severityNVD Advisory· Published Feb 18, 2026· Updated Feb 25, 2026

InvoicePlane has Unauthenticated Path Traversal in Guest Controller

CVE-2026-23491

Description

InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A path traversal vulnerability exists in the get_file method of the Guest module's Get controller in InvoicePlane up to and including through 1.6.3. The vulnerability allows unauthenticated attackers to read arbitrary files on the server by manipulating the input filename. This leads to the disclosure of sensitive information, including configuration files with database credentials. Version 1.6.4 fixes the issue.

Affected products

Invoiceplane/Invoiceplanev5
Range: < 1.6.4

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/InvoicePlane/InvoicePlane/commit/add8bb798dde621f886823065ef1841986543c69mitrex_refsource_MISC
github.com/InvoicePlane/InvoicePlane/security/advisories/GHSA-88gq-mv54-v3fcmitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000