High severity7.2NVD Advisory· Published Apr 8, 2026· Updated Apr 17, 2026

CVE-2026-33273

Description

Unrestricted upload of file with dangerous type issue exists in MATCHA INVOICE 2.6.6 and earlier. If this vulnerability is exploited, an arbitrary file may be created by an administrator of the product. As a result, arbitrary code may be executed on the server.

Affected products

Icz/Matcha Invoice
cpe:2.3:a:icz:matcha_invoice:*:*:*:*:*:*:*:*
Range: <=2.6.6

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

jvn.jp/en/jp/JVN33581068/nvdThird Party Advisory
oss.icz.co.jp/news/nvdVendor Advisory

News mentions

No linked articles in our index yet.

cvss	0.468
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000