📄 InvoicePlane 1.6.3 Path Traversal_PACKETSTORM:218820

9.3 / 10

CRITICAL

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/SC:H/VI:N/SI:H/VA:N/SA:H

Description

InvoicePlane versions 1.6.3 and below suffer from a path traversal vulnerability in the getfile method of the Guest module...

Visit Original Source

Basic Information

ID PACKETSTORM:218820

Published Apr 13, 2026 at 00:00

Affected Product

Affected Versions # CVE-2026-23491: InvoicePlane has Unauthenticated Path Traversal in Guest Controller

## Overview

| Field | Details |
|---|---|
| **CVE ID** | [CVE-2026-23491](https://nvd.nist.gov/vuln/detail/CVE-2026-23491) |
| **Severity** | CRITICAL |
| **Advisory** | [View Advisory](https://github.com/InvoicePlane/InvoicePlane/security/advisories/GHSA-88gq-mv54-v3fc) |
| **Discovered by** | [Lukasz Rybak](https://github.com/lukasz-rybak) |

## Affected Products

- **InvoicePlane/InvoicePlane**

## Details

### Summary
A path traversal vulnerability exists in the `get_file` method of the `Guest` module's `Get` controller in InvoicePlane v1.6.3. The vulnerability allows unauthenticated attackers to read arbitrary files on the server by manipulating the input filename. This leads to the disclosure of sensitive information, including configuration files with database credentials.

### Details
The vulnerability is located in the `application/modules/guest/controllers/Get.php` file, specifically within the `get_file` function.

The function accepts a `$filename` parameter directly from the URL. It performs `urldecode($filename)` but fails to sanitize the input for directory traversal sequences (e.g., `../`). The sanitized filename is then concatenated with a base directory (`$this->targetPath`, which maps to `uploads/customer_files/`) and passed to the `readfile()` function.

**Vulnerable Code Snippet:**
```php
public function get_file($filename): void
{
$filename = urldecode($filename);
if ( ! file_exists($this->targetPath . $filename)) {
$ref = isset($_SERVER['HTTP_REFERER']) ? ', Referer:' . $_SERVER['HTTP_REFERER'] : '';
$this->respond_message(404, 'upload_error_file_not_found', $this->targetPath . $filename . $ref);
}

// ... headers setting content type and disposition ...

readfile($this->targetPath . $filename);
}
```

Because `$filename` is user-controlled and unchecked, an attacker can provide a string like `../../ipconfig.php` to break out of the intended directory.

### PoC
The following cURL command demonstrates reading the `ipconfig.php` file (which resides two directories up from the default `uploads/customer_files/` directory):

```bash
curl http://localhost/index.php/guest/get/get_file/..%2f..%2fipconfig.php
```

<img width="1101" height="930" alt="image" src="https://github.com/user-attachments/assets/5b446157-b2e3-4428-b357-406bfcebc6f4" />

**Expected Output:**
The server responds with the content of `ipconfig.php`, which includes sensitive environment variables like `DB_PASSWORD` and `ENCRYPTION_KEY`.

### Impact

Attackers can read the application configuration, source code, and potentially other files on the system readable by the web server user.

## References

- https://github.com/InvoicePlane/InvoicePlane/security/advisories/GHSA-88gq-mv54-v3fc
- https://github.com/InvoicePlane/InvoicePlane/commit/add8bb798dde621f886823065ef1841986543c69

## Disclaimer

This CVE was responsibly disclosed following coordinated vulnerability disclosure practices. The information provided here is for educational and defensive purposes only.

{
    "lastseen": "2026-04-13T16:43:54",
    "description": "InvoicePlane versions 1.6.3 and below suffer from a path traversal vulnerability in the getfile method of the Guest module...",
    "published": "2026-04-13T00:00:00",
    "modified": "2026-04-13T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 InvoicePlane 1.6.3 Path Traversal",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:218820",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2026-23491"
    ],
    "sourceData": "# CVE-2026-23491: InvoicePlane has Unauthenticated Path Traversal in Guest Controller\n    \n    ## Overview\n    \n    | Field | Details |\n    |---|---|\n    | **CVE ID** | [CVE-2026-23491](https://nvd.nist.gov/vuln/detail/CVE-2026-23491) |\n    | **Severity** | CRITICAL |\n    | **Advisory** | [View Advisory](https://github.com/InvoicePlane/InvoicePlane/security/advisories/GHSA-88gq-mv54-v3fc) |\n    | **Discovered by** | [Lukasz Rybak](https://github.com/lukasz-rybak) |\n    \n    ## Affected Products\n    \n    - **InvoicePlane/InvoicePlane**\n    \n    \n    \n    ## Details\n    \n    ### Summary\n    A path traversal vulnerability exists in the `get_file` method of the `Guest` module's `Get` controller in InvoicePlane v1.6.3. The vulnerability allows unauthenticated attackers to read arbitrary files on the server by manipulating the input filename. This leads to the disclosure of sensitive information, including configuration files with database credentials.\n    \n    ### Details\n    The vulnerability is located in the `application/modules/guest/controllers/Get.php` file, specifically within the `get_file` function.\n    \n    The function accepts a `$filename` parameter directly from the URL. It performs `urldecode($filename)` but fails to sanitize the input for directory traversal sequences (e.g., `../`). The sanitized filename is then concatenated with a base directory (`$this->targetPath`, which maps to `uploads/customer_files/`) and passed to the `readfile()` function.\n    \n    **Vulnerable Code Snippet:**\n    ```php\n    public function get_file($filename): void\n    {\n        $filename = urldecode($filename);\n        if ( ! file_exists($this->targetPath . $filename)) {\n            $ref = isset($_SERVER['HTTP_REFERER']) ? ', Referer:' . $_SERVER['HTTP_REFERER'] : '';\n            $this->respond_message(404, 'upload_error_file_not_found', $this->targetPath . $filename . $ref);\n        }\n    \n        // ... headers setting content type and disposition ...\n    \n        readfile($this->targetPath . $filename);\n    }\n    ```\n    \n    Because `$filename` is user-controlled and unchecked, an attacker can provide a string like `../../ipconfig.php` to break out of the intended directory.\n    \n    ### PoC\n    The following cURL command demonstrates reading the `ipconfig.php` file (which resides two directories up from the default `uploads/customer_files/` directory):\n    \n    ```bash\n    curl http://localhost/index.php/guest/get/get_file/..%2f..%2fipconfig.php\n    ```\n    \n    <img width=\"1101\" height=\"930\" alt=\"image\" src=\"https://github.com/user-attachments/assets/5b446157-b2e3-4428-b357-406bfcebc6f4\" />\n    \n    \n    **Expected Output:**\n    The server responds with the content of `ipconfig.php`, which includes sensitive environment variables like `DB_PASSWORD` and `ENCRYPTION_KEY`.\n    \n    ### Impact\n    \n    Attackers can read the application configuration, source code, and potentially other files on the system readable by the web server user.\n    \n    ## References\n    \n    - https://github.com/InvoicePlane/InvoicePlane/security/advisories/GHSA-88gq-mv54-v3fc\n    - https://github.com/InvoicePlane/InvoicePlane/commit/add8bb798dde621f886823065ef1841986543c69\n    \n    \n    ## Disclaimer\n    \n    This CVE was responsibly disclosed following coordinated vulnerability disclosure practices. The information provided here is for educational and defensive purposes only.",
    "sourceHref": "https://packetstorm.news/download/218820",
    "cvss": {
        "score": 9.3,
        "severity": "CRITICAL",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/SC:H/VI:N/SI:H/VA:N/SA:H",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/218820/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply