Description
SQL Injection vulnerability exists in MATCHA INVOICE 2.6.6 and earlier. If this vulnerability is exploited, information stored in the database may be obtained or altered by a user who can log in to the product.
Published: 2026-04-08
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Database compromise via SQL injection
Action: Immediate Patch
AI Analysis

Impact

A classic SQL injection flaw exists in MATCHA INVOICE versions 2.6.6 and earlier, allowing an attacker with valid user credentials to inject arbitrary SQL. This can lead to reading sensitive data or modifying records, compromising the confidentiality and integrity of the stored information. The weakness is a classic injection bug (CWE‑89).

Affected Systems

Products from ICZ Corporation called MATCHA INVOICE are affected, specifically all releases 2.6.6 and lower. No other versions are noted in the advisory.

Risk and Exploitability

The flaw carries a CVSS score of 8.7, placing it in the high‑severity range. EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog. The attack requires a valid login to the application, so it is most likely triggered by an authenticated user. Once authenticated, the attacker can execute the injection and retrieve or alter database contents without additional privileges.

Generated by OpenCVE AI on April 8, 2026 at 06:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update MATCHA INVOICE to a version newer than 2.6.6 or apply the vendor’s official patch.
  • If an immediate upgrade is not possible, restrict the database account used by the application to read‑only permissions and monitor for abnormal queries.
  • Consider isolating the application server behind a firewall and limiting external access to only necessary ports.

Generated by OpenCVE AI on April 8, 2026 at 06:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:icz:matcha_invoice:*:*:*:*:*:*:*:*

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Title SQL Injection in MATCHA INVOICE Prior to 2.6.6 Exposes Database

Wed, 08 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Icz
Icz matcha Invoice
Vendors & Products Icz
Icz matcha Invoice

Wed, 08 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 05:30:00 +0000

Type Values Removed Values Added
Description SQL Injection vulnerability exists in MATCHA INVOICE 2.6.6 and earlier. If this vulnerability is exploited, information stored in the database may be obtained or altered by a user who can log in to the product.
Weaknesses CWE-89
References
Metrics cvssV3_0

{'score': 8.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Icz Matcha Invoice
cve-icon MITRE

Status: PUBLISHED

Assigner: jpcert

Published:

Updated: 2026-04-08T15:06:29.082Z

Reserved: 2026-04-03T04:29:19.341Z

Link: CVE-2026-24913

cve-icon Vulnrichment

Updated: 2026-04-08T15:06:24.434Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-08T06:16:27.073

Modified: 2026-04-17T20:44:11.940

Link: CVE-2026-24913

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:43:56Z

Weaknesses