CVE-2026-46622

HIGH EPSS 9.6%
Published Jun 11, 20262w ago · Modified Jun 17, 20262w ago
8.1 CVSS 3.1
High
Find Similar
Published Jun 11, 2026 2w ago
Last Modified Jun 17, 2026 2w ago

Description

SolidInvoice is an open-source invoicing platform. Prior to version 2.3.17, API tokens used to authenticate all REST API requests are stored as plaintext strings in the api_tokens database table. Any attacker who obtains read access to the database — through SQL injection, a leaked backup, a misconfigured replica, or insider access — immediately obtains all API credentials for every user with no further effort. This issue has been patched in version 2.3.17.

CVSS Details

Base Score
8.1
Exploitability
2.8
Impact
5.2
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability None

Threat Intelligence

EPSS Exploit Probability
9.6% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 1

CWE-312

References 3

  • github.com https://github.com/SolidInvoice/SolidInvoice/commit/864539182572e1a3b2d76999b03060661ffa00f1
  • github.com https://github.com/SolidInvoice/SolidInvoice/releases/tag/2.3.17
  • github.com https://github.com/SolidInvoice/SolidInvoice/security/advisories/GHSA-qjfc-h39r-cgwq

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.