CVE-2026-23491

Name of the Vulnerable Software and Affected Versions InvoicePlane versions through 1.6.3

Description InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A path traversal issue exists in the get file method of the Guest module's Get controller. This allows unauthenticated attackers to read arbitrary files on the server by manipulating the input filename. This can lead to the disclosure of sensitive information, including configuration files with database credentials. The vulnerable method is get file within the Guest module's Get controller. The input filename is the vulnerable parameter.

Recommendations Update InvoicePlane to version 1.6.4 or later.