CVE-2025-66370

None

Description

Kivitendo before 3.9.2 allows XXE injection. By uploading an electronic invoice in the ZUGFeRD format, it is possible to read and exfiltrate files from the server's filesystem.

INFO

Published Date :

2025-11-28T00:00:00.000Z

Last Modified :

2026-01-15T06:46:24.375Z

Source :

mitre

AFFECTED PRODUCTS

The following products are affected by CVE-2025-66370 vulnerability.

Vendors	Products
Kivitendo	Kivitendo

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-66370.

URL	Resource
https://blog.kivitendo.de/?p=1415
https://github.com/kivitendo/kivitendo-erp/blob/fd3f993fc731cbcaa5eb87d55df7c82df4df9c09/doc/changelog
https://github.com/kivitendo/kivitendo-erp/commit/1286dee72f9919166178d0cdb5f52f13b0f7d4de
https://github.com/kivitendo/kivitendo-erp/commit/f6ba56bd8d22a428534057589baace6b7bfdf2e9
https://invoice.secvuln.info

CVSS Vulnerability Scoring System

V3.1

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality Impact

Integrity Impact

Availability Impact