Primary

Context

Kivitendo XXE Injection Vulnerability Allowing File Exfiltration

Vulnerability

A vulnerability allowing XML External Entity (XXE) injection has been identified in Kivitendo versions prior to 3.9.2. This issue arises when uploading electronic invoices in the ZUGFeRD format, which can be exploited to read and exfiltrate files from the server's filesystem.

Impact

Exploitation of this vulnerability could lead to unauthorized access and exfiltration of files from the server's filesystem.

Remediation

Users can upgrade to Kivitendo version 3.9.2 or later to address this vulnerability.

Added: Nov 28, 2025, 4:21 AM

Updated: Nov 28, 2025, 4:21 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

5.7

remediation

0.0

relevance

1.3

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

5.7

remediation

0.0

relevance

1.3

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Kivitendo XXE Injection Vulnerability Allowing File Exfiltration

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating