Skip to main content

Matcha Invoice EUVDEUVD-2026-20051

| CVE-2026-24913 HIGH
SQL Injection (CWE-89)
2026-04-08 jpcert
8.7
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Re-analysis Queued
Apr 17, 2026 - 20:52 vuln.today
cvss_changed
EUVD ID Assigned
Apr 08, 2026 - 05:30 euvd
EUVD-2026-20051
Analysis Generated
Apr 08, 2026 - 05:30 vuln.today
CVE Published
Apr 08, 2026 - 05:10 nvd
HIGH 8.7

DescriptionCVE.org

SQL Injection vulnerability exists in MATCHA INVOICE 2.6.6 and earlier. If this vulnerability is exploited, information stored in the database may be obtained or altered by a user who can log in to the product.

AnalysisAI

SQL injection in MATCHA INVOICE 2.6.6 and earlier allows authenticated users with low-level privileges to extract or modify database contents via network access. With CVSS 8.8 (High severity), low attack complexity, and no user interaction required, authenticated attackers can achieve full confidentiality, integrity, and availability impact on the application database. No public exploit identified at time of analysis, with EPSS data not available for this recently disclosed vulnerability.

Technical ContextAI

This vulnerability affects MATCHA INVOICE (CPE: cpe:2.3:a:icz_corporation:matcha_invoice), an invoicing application developed by ICZ Corporation. The flaw is classified as CWE-89 (SQL Injection), indicating inadequate input validation or parameterization of SQL queries. SQL injection occurs when user-supplied data is incorporated into SQL statements without proper sanitization, allowing attackers to manipulate query logic. In authenticated contexts, this typically manifests through form inputs, search parameters, or API endpoints accessible to logged-in users. Given the application's invoicing nature, vulnerable entry points likely include customer data fields, invoice search functions, or report generation features where SQL queries are dynamically constructed using user input without prepared statements or proper escaping.

RemediationAI

Upgrade MATCHA INVOICE to the patched version released by ICZ Corporation addressing this SQL injection vulnerability. Consult the vendor security advisory at https://oss.icz.co.jp/news/?p=1386 for specific patched version numbers and upgrade instructions. The JVN advisory at https://jvn.jp/en/jp/JVN33581068/ provides additional remediation guidance from JPCERT/CC. As interim risk reduction measures pending patching, implement strict input validation on all user-accessible fields, enforce principle of least privilege for application database accounts to limit SQL injection impact scope, enable database query logging to detect exploitation attempts, and review user account provisioning to ensure only necessary personnel have application access. Organizations should prioritize patching given the network accessibility and straightforward exploitation pathway of SQL injection vulnerabilities in business-critical invoicing systems.

Share

EUVD-2026-20051 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy