Description
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A path traversal vulnerability exists in the `get_file` method of the `Guest` module's `Get` controller in InvoicePlane up to and including through 1.6.3. The vulnerability allows unauthenticated attackers to read arbitrary files on the server by manipulating the input filename. This leads to the disclosure of sensitive information, including configuration files with database credentials. Version 1.6.4 fixes the issue.
Published: 2026-02-18
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote File Disclosure
Action: Apply Patch
AI Analysis

Impact

A path traversal flaw exists in InvoicePlane’s guest controller, enabling an attacker to read arbitrary files on the server without authentication by manipulating the filename parameter. The vulnerability can expose sensitive information such as database credentials and configuration files, representing a significant breach of confidentiality.

Affected Systems

InvoicePlane versions up to and including 1.6.3 are affected. The issue is fixed in version 1.6.4. No other vendors or product families are currently impacted.

Risk and Exploitability

The flaw carries a CVSS score of 9.3, indicating critical severity. However, the EPSS score is less than 1%, implying a very low probability of exploitation in the wild. It is not catalogued in CISA’s KEV list. The vulnerability can be exploited from the public internet, requiring no authentication or additional privileges, making it a high‑risk threat for exposed installations.

Generated by OpenCVE AI on April 17, 2026 at 18:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update InvoicePlane to version 1.6.4 or later, which removes the path traversal logic.
  • If an upgrade is not immediately possible, limit public access to the guest controller by configuring the web server (e.g., using .htaccess or proxy rules) so that only authenticated or trusted IP addresses can reach it.
  • In the interim, tighten file‑system permissions for the web server process, ensuring it cannot read configuration or database files located outside the document root.

Generated by OpenCVE AI on April 17, 2026 at 18:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Feb 2026 17:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:invoiceplane:invoiceplane:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Thu, 19 Feb 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Invoiceplane
Invoiceplane invoiceplane
Vendors & Products Invoiceplane
Invoiceplane invoiceplane

Wed, 18 Feb 2026 21:00:00 +0000

Type Values Removed Values Added
Description InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. a path traversal vulnerability exists in the `get_file` method of the `Guest` module's `Get` controller in InvoicePlane up to and including through 1.6.3. The vulnerability allows unauthenticated attackers to read arbitrary files on the server by manipulating the input filename. This leads to the disclosure of sensitive information, including configuration files with database credentials. Version 1.6.4 fixes the issue. InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A path traversal vulnerability exists in the `get_file` method of the `Guest` module's `Get` controller in InvoicePlane up to and including through 1.6.3. The vulnerability allows unauthenticated attackers to read arbitrary files on the server by manipulating the input filename. This leads to the disclosure of sensitive information, including configuration files with database credentials. Version 1.6.4 fixes the issue.

Wed, 18 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 18 Feb 2026 20:00:00 +0000

Type Values Removed Values Added
Description InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. a path traversal vulnerability exists in the `get_file` method of the `Guest` module's `Get` controller in InvoicePlane up to and including through 1.6.3. The vulnerability allows unauthenticated attackers to read arbitrary files on the server by manipulating the input filename. This leads to the disclosure of sensitive information, including configuration files with database credentials. Version 1.6.4 fixes the issue.
Title InvoicePlane has Unauthenticated Path Traversal in Guest Controller
Weaknesses CWE-22
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H'}

Subscriptions

Invoiceplane Invoiceplane
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-25T16:41:34.879Z

Reserved: 2026-01-13T15:47:41.628Z

Link: CVE-2026-23491

cve-icon Vulnrichment

Updated: 2026-02-18T20:08:30.626Z

cve-icon NVD

Status : Modified

Published: 2026-02-18T20:18:35.783

Modified: 2026-02-25T17:25:38.747

Link: CVE-2026-23491

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T18:45:25Z

Weaknesses