Description
Unrestricted upload of file with dangerous type issue exists in MATCHA INVOICE 2.6.6 and earlier. If this vulnerability is exploited, an arbitrary file may be created by an administrator of the product. As a result, arbitrary code may be executed on the server.
Published: 2026-04-08
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

An unrestricted file upload vulnerability exists in MATCHA INVOICE versions 2.6.6 and earlier, allowing an administrator to upload a file with a dangerous type. Once uploaded, the attacker can place malicious files on the server, potentially leading to execution of arbitrary code. This flaw is categorized as CWE‑434 and directly threatens confidentiality, integrity, and availability.

Affected Systems

ICZ Corporation’s MATCHA INVOICE is affected, specifically all releases up to and including version 2.6.6. Systems running the product in those versions are at risk whenever an administrator has the ability to upload files.

Risk and Exploitability

With a CVSS score of 5.1, the vulnerability represents moderate severity. No EPSS score is reported and the flaw is not listed in CISA's KEV catalog, suggesting a lower likelihood of current exploitation. The likely attack vector hinges on an attacker obtaining administrative access or leveraging an administrative user having file‑upload capabilities. Once the file is uploaded, execution can occur without additional privilege escalation.

Generated by OpenCVE AI on April 8, 2026 at 06:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest vendor patch for MATCHA INVOICE if available.
  • If no patch is available, restrict file upload functionality or enforce allowed file types.
  • Audit the application to ensure only authorized administrators can upload files.
  • Monitor server logs for unexpected file uploads.
  • Regularly review administrator credentials and enforce strong password policies.

Generated by OpenCVE AI on April 8, 2026 at 06:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 21:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:icz:matcha_invoice:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Title Unrestricted File Upload Leading to Arbitrary Code Execution in MATCHA INVOICE

Wed, 08 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Icz
Icz matcha Invoice
Vendors & Products Icz
Icz matcha Invoice

Wed, 08 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 05:30:00 +0000

Type Values Removed Values Added
Description Unrestricted upload of file with dangerous type issue exists in MATCHA INVOICE 2.6.6 and earlier. If this vulnerability is exploited, an arbitrary file may be created by an administrator of the product. As a result, arbitrary code may be executed on the server.
Weaknesses CWE-434
References
Metrics cvssV3_0

{'score': 4.7, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Icz Matcha Invoice
cve-icon MITRE

Status: PUBLISHED

Assigner: jpcert

Published:

Updated: 2026-04-08T15:05:25.194Z

Reserved: 2026-04-03T04:29:18.445Z

Link: CVE-2026-33273

cve-icon Vulnrichment

Updated: 2026-04-08T15:05:21.693Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-08T06:16:28.647

Modified: 2026-04-17T20:49:00.363

Link: CVE-2026-33273

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:43:55Z

Weaknesses