CVE-2025-66370

Published November 28th, 2025

View on NVD ↗

CVSS v3

MEDIUM

CVSS v2

N/A

Affected

PROJECT

Description

Kivitendo before 3.9.2 allows XXE injection. By uploading an electronic invoice in the ZUGFeRD format, it is possible to read and exfiltrate files from the server's filesystem.

kivitendo/kivitendo-erp

Web-based ERP system for the German market

GitHub

117