CVE-2025-66370

5.0 MEDIUM
Published: November 28, 2025 Modified: January 15, 2026
View on NVD

Description

Kivitendo before 3.9.2 allows XXE injection. By uploading an electronic invoice in the ZUGFeRD format, it is possible to read and exfiltrate files from the server's filesystem.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://blog.kivitendo.de/?p=1415
Source: cve@mitre.org
https://github.com/kivitendo/kivitendo-erp/blob/fd3f993fc731cbcaa5eb87d55df7c82df4df9c09/doc/changelog
Source: cve@mitre.org
https://github.com/kivitendo/kivitendo-erp/commit/1286dee72f9919166178d0cdb5f52f13b0f7d4de
Source: cve@mitre.org
https://github.com/kivitendo/kivitendo-erp/commit/f6ba56bd8d22a428534057589baace6b7bfdf2e9
Source: cve@mitre.org
https://invoice.secvuln.info
Source: cve@mitre.org

5 reference(s) from NVD

Quick Stats

CVSS v3 Score
5.0 / 10.0
EPSS (Exploit Probability)
0.0%
13th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-611

Related CVEs

CVE-2026-33809 N/A
CVE-2026-33751 N/A
CVE-2026-33749 N/A
CVE-2026-33724 N/A
CVE-2026-33722 N/A