CVE-2026-46622
HighCVSS 8.1Exploitation Probability (EPSS)
Low risk10th percentile - higher than 10% of all known CVEs
Summary
SolidInvoice is an open-source invoicing platform. Prior to version 2.3.17, API tokens used to authenticate all REST API requests are stored as plaintext strings in the api_tokens database table.
Risk Assessment
Any attacker who obtains read access to the database can immediately obtain all API credentials for every user, posing a serious security risk to the organization.
Recommendation
It is recommended to upgrade to version 2.3.17 or later to secure the storage of API tokens and limit database access.
Original NVD description (English source)
SolidInvoice is an open-source invoicing platform. Prior to version 2.3.17, API tokens used to authenticate all REST API requests are stored as plaintext strings in the api_tokens database table. Any attacker who obtains read access to the database — through SQL injection, a leaked backup, a misconfigured replica, or insider access — immediately obtains all API credentials for every user with no further effort. This issue has been patched in version 2.3.17.

