CVE-2026-33273
HIGH WAF: Medium
CVSS 7.2
Published: 2026-04-08
CWE-434
Unrestricted upload of file with dangerous type issue exists in MATCHA INVOICE 2.6.6 and earlier. If this vulnerability is exploited, an arbitrary file may be created by an administrator of the product. As a result, arbitrary code may be executed on the server.
WAF Coverage Analysis
Unrestricted File Upload
Medium WAF Coverage
OWASP: A04:2021 Insecure Design
930xxx - Local File Inclusion
Affected Software
| Vendor | Product | Version |
|---|---|---|
| icz | matcha_invoice | up to 2.6.6 |
References
- jvn.jp (Third Party Advisory)
- oss.icz.co.jp (Vendor Advisory)