Home > Vulnerability Database > CVE-2025-66370

Mend.io Vulnerability Database

CVE-2025-66370

Good to know:

Date: November 27, 2025

Kivitendo before 3.9.2 allows XXE injection. By uploading an electronic invoice in the ZUGFeRD format, it is possible to read and exfiltrate files from the server's filesystem.

Severity Score

5.0

Related Resources (6)

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-66370

Url: https://github.com/kivitendo/kivitendo-erp/commit/f6ba56bd8d22a428534057589baace6b7bfdf2e9

Url: https://github.com/kivitendo/kivitendo-erp/commit/1286dee72f9919166178d0cdb5f52f13b0f7d4de

Url: https://github.com/kivitendo/kivitendo-erp/blob/fd3f993fc731cbcaa5eb87d55df7c82df4df9c09/doc/changelog

Url: https://blog.kivitendo.de/?p=1415

Url: https://www.mend.io/vulnerability-database/CVE-2025-66370

Severity Score

5.0

Weakness Type (CWE)

Improper Restriction of XML External Entity Reference

CWE-611

Top Fix

Upgrade Version

Upgrade to version https://github.com/kivitendo/kivitendo-erp.git - release-3.9.2

Learn More

CVSS v3.1

Base Score:	5.0
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	CHANGED
Confidentiality (C):	LOW
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2025-66370

Good to know:

Date: November 27, 2025

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?