CVE-2026-33273 Icz — Exploit & Vulnerability Details MEDIUM

CVE-2026-33273

MEDIUM CVSS 4.0: 5.1 EPSS 0.05%

Parameter	Value
CVSS	5.1 (MEDIUM)
Affected Versions	before 2.6.6
Type	CWE-434 (Unrestricted File Upload)
Vendor	Icz
Public PoC	No

Unrestricted upload of file with dangerous type issue exists in MATCHA INVOICE 2.6.6 and earlier. If this vulnerability is exploited, an arbitrary file may be created by an administrator of the product. As a result, arbitrary code may be executed on the server.

Attack Parameters

Attack Vector

Network

Can be exploited remotely

Attack Complexity

Low

Easy to exploit

Attack Requirements

None

No additional conditions

Privileges Required

High

Admin privileges needed

User Interaction

None

No user interaction needed

Impact Assessment

Confidentiality

Low

Partial data leak

Integrity

Low

Partial data modification

Availability

Low

Partial disruption

CVSS Vector v4.0

Weakness Type (CWE)

CWE-434 Unrestricted File Upload

Vulnerable Products 1

Configuration	From (including)	Up to (excluding)
Icz Matcha_Invoice cpe:2.3:a:icz:matcha_invoice::::::::	—	`<= 2.6.6`

References 2

https://jvn.jp/en/jp/JVN33581068/

vultures@jpcert.or.jp

https://oss.icz.co.jp/news/?p=1386

vultures@jpcert.or.jp

Share Post Share Share Share

Related Vulnerabilities

CVE-2026-27787

Icz

5.1

CVE-2026-24913

Icz

8.7

Menu

CVE-2026-33273

Attack Parameters

Impact Assessment

CVSS Vector v4.0

Weakness Type (CWE)

Vulnerable Products 1

References 2

Related Vulnerabilities

CVE-2026-27787

CVE-2026-24913

CVE Details

Editor's Choice

Menu

CVE-2026-33273

Attack Parameters

Impact Assessment

CVSS Vector v4.0

Weakness Type (CWE)

Vulnerable Products 1

References 2

Related Vulnerabilities

CVE-2026-27787

CVE-2026-24913

CVE Details

Editor's Choice

Stay informed on cybersecurity