Cyber Resilience

CVE-2026-23491

CriticalPublic PoC

Published: 18 February 2026

Published
18 February 2026
Modified
25 February 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0105 59.9th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-23491 is a critical-severity Path Traversal (CWE-22) vulnerability in Invoiceplane Invoiceplane. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked in the top 40.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-23491 is a path traversal vulnerability (CWE-22) in the `get_file` method of the `Guest` module's `Get` controller in InvoicePlane, a self-hosted open source application for managing invoices, clients, and payments. The flaw affects all versions up to and including 1.6.3, enabling attackers to read arbitrary files on the server by manipulating the input filename parameter. This issue has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), reflecting high confidentiality impact with no requirements for authentication or user interaction.

Unauthenticated remote attackers can exploit this vulnerability over the network with low complexity to access sensitive files, such as configuration files containing database credentials. Successful exploitation leads to the disclosure of critical information that could facilitate further attacks, like unauthorized database access, but does not allow modification or execution of code.

The InvoicePlane security advisory (GHSA-88gq-mv54-v3fc) and the fixing commit (add8bb798dde621f886823065ef1841986543c69) confirm that upgrading to version 1.6.4 resolves the issue by addressing the path traversal in the affected controller method. Security practitioners should prioritize patching affected instances and review access logs for suspicious `get_file` requests.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A path traversal vulnerability exists in the `get_file` method of the `Guest` module's `Get` controller in InvoicePlane up to and including through 1.6.3. The vulnerability allows unauthenticated…

more

attackers to read arbitrary files on the server by manipulating the input filename. This leads to the disclosure of sensitive information, including configuration files with database credentials. Version 1.6.4 fixes the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1552.001 Credentials In Files Credential Access
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
Why these techniques?

Path traversal enables direct arbitrary local file read (T1005) and specifically access to credential files (T1552.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-24746Same product: Invoiceplane Invoiceplane
CVE-2026-24745Same product: Invoiceplane Invoiceplane
CVE-2025-67084Same product: Invoiceplane Invoiceplane
CVE-2026-24744Same product: Invoiceplane Invoiceplane
CVE-2024-56975Same product: Invoiceplane Invoiceplane
CVE-2026-24743Same product: Invoiceplane Invoiceplane
CVE-2026-25548Same product: Invoiceplane Invoiceplane
CVE-2026-33166Shared CWE-22
CVE-2026-4659Shared CWE-22
CVE-2025-1035Shared CWE-22

Affected Assets

invoiceplane
invoiceplane
≤ 1.6.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the path traversal vulnerability by requiring timely patching to version 1.6.4, which fixes the flawed get_file method.

prevent

Prevents exploitation by validating and sanitizing the input filename parameter to block path traversal sequences like '../' in the Guest module's Get controller.

prevent

Enforces application-level access controls to restrict unauthenticated file reads to authorized paths only, blocking arbitrary file disclosure.

References