SolidInvoice is an open-source invoicing platform. Prior to version 2.3.17, API tokens used to authenticate all REST API requests are stored as plaintext strings in the api_tokens database table. Any attacker who obtains read access to the database — through SQL injection, a leaked backup, a misconfigured replica, or insider access — immediately obtains all API credentials for every user with no further effort. This issue has been patched in version 2.3.17.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46622.json",
"cwe_ids": [
"CWE-312"
],
"cna_assigner": "GitHub_M"
}