ByteOS Network

NVD Vulnerability Details :

CVE-2025-66370

Awaiting Analysis

Source-cve@mitre.org

Published At-28 Nov, 2025 | 04:16

Updated At-15 Jan, 2026 | 07:16

Kivitendo before 3.9.2 allows XXE injection. By uploading an electronic invoice in the ZUGFeRD format, it is possible to read and exfiltrate files from the server's filesystem.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Secondary	3.1	5.0	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

Type: Secondary

Version: 3.1

Base score: 5.0

Base severity: MEDIUM

Vector:

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

Weaknesses

CWE ID	Type	Source
CWE-611	Secondary	cve@mitre.org

CWE ID: CWE-611

Type: Secondary

Source: cve@mitre.org

References

Hyperlink	Source	Resource
https://blog.kivitendo.de/?p=1415	cve@mitre.org	N/A
https://github.com/kivitendo/kivitendo-erp/blob/fd3f993fc731cbcaa5eb87d55df7c82df4df9c09/doc/changelog	cve@mitre.org	N/A
https://github.com/kivitendo/kivitendo-erp/commit/1286dee72f9919166178d0cdb5f52f13b0f7d4de	cve@mitre.org	N/A
https://github.com/kivitendo/kivitendo-erp/commit/f6ba56bd8d22a428534057589baace6b7bfdf2e9	cve@mitre.org	N/A
https://invoice.secvuln.info	cve@mitre.org	N/A