VYPR
Medium severity5.0OSV Advisory· Published Nov 28, 2025· Updated Apr 15, 2026

CVE-2025-66370

CVE-2025-66370

Description

Kivitendo before 3.9.2 allows XXE injection. By uploading an electronic invoice in the ZUGFeRD format, it is possible to read and exfiltrate files from the server's filesystem.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • release-2.4.2, release-2.6.0, release-2.6.0beta1, …+ 1 more
    • (no CPE)range: release-2.4.2, release-2.6.0, release-2.6.0beta1, …
    • (no CPE)range: <3.9.2

Patches

Vulnerability mechanics

References

5

News mentions

0

No linked articles in our index yet.