CVE-2026-23491 InvoicePlane has Unauthenticated Path Traversal in Guest Controller

InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A path traversal vulnerability exists in the getfile method of the Guest module's Get controller in InvoicePlane up to and including through 1.6.3. The vulnerability allows unauthenticated attacker...

CVE-2026-23491

InvoicePlane up to version 1.6.3 is affected by a path traversal vulnerability in the Guest.Get controller’s get_file method, allowing unauthenticated attackers to read arbitrary server files (including configuration with database credentials). Root cause: improper input handling of the filename ...

PT-2026-20490

Name of the Vulnerable Software and Affected Versions InvoicePlane versions through 1.6.3 Description InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A path traversal issue exists in the get file method of the Guest module's Get controller. This...

CVE-2025-59716

Summary: CVE-2025-59716 affects ownCloud Guests prior to 0.12.5. A flaw in token validation in the showPasswordForm pathway for /apps/guests/register/{email}/{token} allows unauthenticated users to enumerate valid pending guest accounts. The issue is confirmed by multiple sources (Nuclei template...