Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Unrestricted upload of file with dangerous type issue exists in MATCHA INVOICE 2.6.6 and earlier. If this vulnerability is exploited, an arbitrary file may be created by an administrator of the product. As a result, arbitrary code may be executed on the server.
AnalysisAI
Remote code execution in MATCHA INVOICE 2.6.6 and earlier allows authenticated administrators to upload arbitrary files with dangerous types, enabling arbitrary code execution on the affected server. The vulnerability affects ICZ Corporation's MATCHA INVOICE product across all versions up to and including 2.6.6. While CVSS 4.7 reflects the requirement for administrative authentication, the RCE impact and file upload mechanism present a significant post-authentication risk in environments where administrative accounts may be compromised or insider threats exist. No public exploit code or CISA KEV confirmation identified at time of analysis.
Technical ContextAI
The vulnerability exploits insufficient validation in the file upload mechanism of MATCHA INVOICE, classified under CWE-434 (Unrestricted Upload of File with Dangerous Type). The affected product is ICZ Corporation's MATCHA INVOICE (cpe:2.3:a:icz_corporation:matcha_invoice:*:*:*:*:*:*:*:*), which appears to be an invoicing/document management application. The root cause is an inadequate or missing file type validation check during upload operations. When an administrator uploads a file through the application, no proper content-type verification, file extension filtering, or magic number validation is performed, allowing the upload of executable code (such as PHP, JSP, or other server-side script formats) that can subsequently be executed by the server. This is a classic post-authentication remote code execution vector commonly found in enterprise applications with weak file handling controls.
RemediationAI
Upgrade MATCHA INVOICE to a version newer than 2.6.6 as released by ICZ Corporation. Patch availability and specific fixed versions should be obtained directly from the vendor advisory at https://oss.icz.co.jp/news/?p=1386. As an interim control pending patching, restrict file upload functionality to trusted administrators, implement strict input validation and file type whitelisting on the server side (validate magic numbers and MIME types, not just extensions), enforce Content-Disposition headers to prevent direct execution, store uploaded files outside the web root, and apply the principle of least privilege to administrative accounts. Organizations should also review recent upload activity logs to identify any suspicious file uploads that may indicate prior exploitation.
More in Matcha Invoice
View allSame technique File Upload
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20054
GHSA-4w7x-xp7v-5wc2