CVE-2026-24913

HIGH

MATCHA INVOICE <= 2.6.6 - Authenticated SQL Injection

Title source: llm

Description

SQL Injection vulnerability exists in MATCHA INVOICE 2.6.6 and earlier. If this vulnerability is exploited, information stored in the database may be obtained or altered by a user who can log in to the product.

References (2)

Core 2

Core References

https://oss.icz.co.jp/news/?p=1386

https://jvn.jp/en/jp/JVN33581068/

Scores

CVSS v3 8.8

EPSS 0.0030

EPSS Percentile 21.5%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-89

Status published

Products (2)

icz/matcha_invoice < 2.6.6

ICZ Corporation/MATCHA INVOICE 2.6.6 and earlier

Published Apr 08, 2026

Tracked Since Apr 08, 2026