CVE-2026-46622
8.1 HIGHSolidInvoice is an open-source invoicing platform
Published: 2026-06-11 · Last updated: 2026-06-11
Severity and scoring
- CVSS
- 8.1 HIGH
- Vector
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
- CWE
- CWE-312
Description
SolidInvoice is an open-source invoicing platform. Prior to version 2.3.17, API tokens used to authenticate all REST API requests are stored as plaintext strings in the api_tokens database table. Any attacker who obtains read access to the database — through SQL injection, a leaked backup, a misconfigured replica, or insider access — immediately obtains all API credentials for every user with no further effort. This issue has been patched in version 2.3.17.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-46622
- [Other]https://github.com/SolidInvoice/SolidInvoice/commit/864539182572e1a3b2d76999b03060661ffa00f1
- [Other]https://github.com/SolidInvoice/SolidInvoice/releases/tag/2.3.17
- [Other]https://github.com/SolidInvoice/SolidInvoice/security/advisories/GHSA-qjfc-h39r-cgwq
Related CVEs
Same CWE
- CVE-2026-10786 — Improper access control in the ticketing integration settings in Devolutions Server allows an authenticated low-privileged user to obtain... (6.5 MEDIUM)
- CVE-2026-36176 — GNCC GP5 v7.1.76 was discovered to store pre-signed Backblaze B2 upload URLs (PUT requests) in plaintext to the serial console (7.1 HIGH)
- CVE-2026-4387 — StrongDM Desktop Application before 23.74.0 (Desktop Client before 53.77.0) on Microsoft Windows stores authentication state, including a...
- CVE-2026-45040 — RustFS is a distributed object storage system built in Rust
- CVE-2026-9274 — This vulnerability exists in CP Plus Wi-Fi Camera due to improper protection of sensitive information in runtime memory