CVE Catalog

CVE-2026-46622

HighCVSS 8.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.20%

10th percentile - higher than 10% of all known CVEs

Summary

SolidInvoice is an open-source invoicing platform. Prior to version 2.3.17, API tokens used to authenticate all REST API requests are stored as plaintext strings in the api_tokens database table.

Risk Assessment

Any attacker who obtains read access to the database can immediately obtain all API credentials for every user, posing a serious security risk to the organization.

Recommendation

It is recommended to upgrade to version 2.3.17 or later to secure the storage of API tokens and limit database access.

Original NVD description (English source)

SolidInvoice is an open-source invoicing platform. Prior to version 2.3.17, API tokens used to authenticate all REST API requests are stored as plaintext strings in the api_tokens database table. Any attacker who obtains read access to the database — through SQL injection, a leaked backup, a misconfigured replica, or insider access — immediately obtains all API credentials for every user with no further effort. This issue has been patched in version 2.3.17.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS