Medium severity5.0OSV Advisory· Published Nov 28, 2025· Updated Apr 15, 2026

CVE-2025-66370

Description

Kivitendo before 3.9.2 allows XXE injection. By uploading an electronic invoice in the ZUGFeRD format, it is possible to read and exfiltrate files from the server's filesystem.

Affected products

Kivitendo/Kivitendo ERPOSV
Range: release-2.4.2, release-2.6.0, release-2.6.0beta1, …

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

blog.kivitendo.denvd
github.com/kivitendo/kivitendo-erp/blob/fd3f993fc731cbcaa5eb87d55df7c82df4df9c09/doc/changelognvd
github.com/kivitendo/kivitendo-erp/commit/1286dee72f9919166178d0cdb5f52f13b0f7d4denvd
github.com/kivitendo/kivitendo-erp/commit/f6ba56bd8d22a428534057589baace6b7bfdf2e9nvd
invoice.secvuln.infonvd

News mentions

No linked articles in our index yet.

cvss	0.325
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000