CVE-2025-66370

MEDIUM

kivitendo < 3.9.2 - XML External Entity Injection via ZUGFeRD Invoice Upload

Title source: llm

Description

Kivitendo before 3.9.2 allows XXE injection. By uploading an electronic invoice in the ZUGFeRD format, it is possible to read and exfiltrate files from the server's filesystem.

References (5)

Core 5

Core References

Various Sources

https://github.com/kivitendo/kivitendo-erp/blob/fd3f993fc731cbcaa5eb87d55df7c82df4df9c09/doc/changelog

View Writeup ZIP pw:eip

Various Sources

https://blog.kivitendo.de/?p=1415

Various Sources

https://invoice.secvuln.info

Patch

https://github.com/kivitendo/kivitendo-erp/commit/1286dee72f9919166178d0cdb5f52f13b0f7d4de

View Patch ZIP pw:eip

Patch

https://github.com/kivitendo/kivitendo-erp/commit/f6ba56bd8d22a428534057589baace6b7bfdf2e9

View Patch ZIP pw:eip

Scores

CVSS v3 5.0

EPSS 0.0027

EPSS Percentile 19.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-611

Status published

Products (1)

kivitendo/kivitendo < 3.9.2

Published Nov 28, 2025

Tracked Since Feb 18, 2026