CVE-2026-0649

MEDIUM

invoiceninja <= 5.12.38 - Server-Side Request Forgery via Company Logo Import

Title source: llm

Description

A security vulnerability has been detected in invoiceninja up to 5.12.38. The affected element is the function copy of the file /app/Jobs/Util/Import.php of the component Migration Import. The manipulation of the argument company_logo leads to server-side request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

References (4)

Core 4

Core References

Permissions Required, VDB Entry vdb-entry technical-description

https://vuldb.com/?id.339720

Permissions Required, VDB Entry signature permissions-required

https://vuldb.com/?ctiid.339720

Permissions Required, VDB Entry third-party-advisory

https://vuldb.com/?submit.721323

Various Sources exploit

https://note-hxlab.wetolink.com/share/fWqEpn5fX4rH

Scores

CVSS v3 4.7

EPSS 0.0022

EPSS Percentile 12.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-918

Status published

Products (39)

n/a/invoiceninja 5.12.0

n/a/invoiceninja 5.12.1

n/a/invoiceninja 5.12.10

n/a/invoiceninja 5.12.11

n/a/invoiceninja 5.12.12

n/a/invoiceninja 5.12.13

n/a/invoiceninja 5.12.14

n/a/invoiceninja 5.12.15

n/a/invoiceninja 5.12.16

n/a/invoiceninja 5.12.17

... and 29 more

Published Jan 07, 2026

Tracked Since Feb 18, 2026