Medium severity5.0OSV Advisory· Published Nov 28, 2025· Updated Apr 15, 2026
CVE-2025-66370
CVE-2025-66370
Description
Kivitendo before 3.9.2 allows XXE injection. By uploading an electronic invoice in the ZUGFeRD format, it is possible to read and exfiltrate files from the server's filesystem.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2release-2.4.2, release-2.6.0, release-2.6.0beta1, …+ 1 more
- (no CPE)range: release-2.4.2, release-2.6.0, release-2.6.0beta1, …
- (no CPE)range: <3.9.2
Patches
Vulnerability mechanics
References
5- blog.kivitendo.denvd
- github.com/kivitendo/kivitendo-erp/blob/fd3f993fc731cbcaa5eb87d55df7c82df4df9c09/doc/changelognvd
- github.com/kivitendo/kivitendo-erp/commit/1286dee72f9919166178d0cdb5f52f13b0f7d4denvd
- github.com/kivitendo/kivitendo-erp/commit/f6ba56bd8d22a428534057589baace6b7bfdf2e9nvd
- invoice.secvuln.infonvd
News mentions
0No linked articles in our index yet.