CVE-2026-23491

HighPublic PoC

Published: 18 February 2026

Published

18 February 2026

Modified

25 February 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Score 0.0011 28.3th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-23491 is a high-severity Path Traversal (CWE-22) vulnerability in Invoiceplane Invoiceplane. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 28.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Threat & Defense at a Glance

What attackers do: exploitation maps to Data from Local System (T1005) and 1 other technique.

Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

SI-10 Information Input Validation

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

attack.mitre.org →

T1552.001 Credentials In Files Credential Access

Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.

attack.mitre.org →

Why these techniques?

Path traversal enables direct arbitrary local file read (T1005) and specifically access to credential files (T1552.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A path traversal vulnerability exists in the `get_file` method of the `Guest` module's `Get` controller in InvoicePlane up to and including through 1.6.3. The vulnerability allows unauthenticated…

attackers to read arbitrary files on the server by manipulating the input filename. This leads to the disclosure of sensitive information, including configuration files with database credentials. Version 1.6.4 fixes the issue.

Deeper analysisAI

CVE-2026-23491 is a path traversal vulnerability (CWE-22) in the `get_file` method of the `Guest` module's `Get` controller in InvoicePlane, a self-hosted open source application for managing invoices, clients, and payments. The flaw affects all versions up to and including 1.6.3, enabling attackers to read arbitrary files on the server by manipulating the input filename parameter. This issue has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), reflecting high confidentiality impact with no requirements for authentication or user interaction.

Unauthenticated remote attackers can exploit this vulnerability over the network with low complexity to access sensitive files, such as configuration files containing database credentials. Successful exploitation leads to the disclosure of critical information that could facilitate further attacks, like unauthorized database access, but does not allow modification or execution of code.

The InvoicePlane security advisory (GHSA-88gq-mv54-v3fc) and the fixing commit (add8bb798dde621f886823065ef1841986543c69) confirm that upgrading to version 1.6.4 resolves the issue by addressing the path traversal in the affected controller method. Security practitioners should prioritize patching affected instances and review access logs for suspicious `get_file` requests.