{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33273", "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "state": "PUBLISHED", "assignerShortName": "jpcert", "dateReserved": "2026-04-03T04:29:18.445Z", "datePublished": "2026-04-08T05:11:03.549Z", "dateUpdated": "2026-04-08T15:05:25.194Z"}, "containers": {"cna": {"affected": [{"vendor": "ICZ Corporation", "product": "MATCHA INVOICE", "versions": [{"version": "2.6.6 and earlier", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "Unrestricted upload of file with dangerous type issue exists in MATCHA INVOICE 2.6.6 and earlier. If this vulnerability is exploited, an arbitrary file may be created by an administrator of the product. As a result, arbitrary code may be executed on the server."}], "problemTypes": [{"descriptions": [{"description": "Unrestricted upload of file with dangerous type", "lang": "en-US", "cweId": "CWE-434", "type": "CWE"}]}], "references": [{"url": "https://oss.icz.co.jp/news/?p=1386"}, {"url": "https://jvn.jp/en/jp/JVN33581068/"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_0": {"version": "3.0", "baseSeverity": "MEDIUM", "baseScore": 4.7, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L"}}, {"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV4_0": {"version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 5.1, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"}}], "providerMetadata": {"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert", "dateUpdated": "2026-04-08T05:11:03.549Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T15:05:18.489563Z", "id": "CVE-2026-33273", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T15:05:25.194Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33273", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-08T15:05:18.489563Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T15:05:21.693Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_0": {"version": "3.0", "baseScore": 4.7, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "baseScore": 5.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}], "affected": [{"vendor": "ICZ Corporation", "product": "MATCHA INVOICE", "versions": [{"status": "affected", "version": "2.6.6 and earlier"}]}], "references": [{"url": "https://oss.icz.co.jp/news/?p=1386"}, {"url": "https://jvn.jp/en/jp/JVN33581068/"}], "descriptions": [{"lang": "en", "value": "Unrestricted upload of file with dangerous type issue exists in MATCHA INVOICE 2.6.6 and earlier. If this vulnerability is exploited, an arbitrary file may be created by an administrator of the product. As a result, arbitrary code may be executed on the server."}], "problemTypes": [{"descriptions": [{"lang": "en-US", "type": "CWE", "cweId": "CWE-434", "description": "Unrestricted upload of file with dangerous type"}]}], "providerMetadata": {"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert", "dateUpdated": "2026-04-08T05:11:03.549Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33273", "state": "PUBLISHED", "dateUpdated": "2026-04-08T15:05:25.194Z", "dateReserved": "2026-04-03T04:29:18.445Z", "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "datePublished": "2026-04-08T05:11:03.549Z", "assignerShortName": "jpcert"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Unrestricted upload of file with dangerous type issue exists in MATCHA INVOICE 2.6.6 and earlier. If this vulnerability is exploited, an arbitrary file may be created by an administrator of the product. As a result, arbitrary code may be executed on the server."}], "id": "CVE-2026-33273", "lastModified": "2026-04-08T21:26:35.910", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L", "version": "3.0"}, "exploitabilityScore": 1.2, "impactScore": 3.4, "source": "vultures@jpcert.or.jp", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.1, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "vultures@jpcert.or.jp", "type": "Secondary"}]}, "published": "2026-04-08T06:16:28.647", "references": [{"source": "vultures@jpcert.or.jp", "url": "https://jvn.jp/en/jp/JVN33581068/"}, {"source": "vultures@jpcert.or.jp", "url": "https://oss.icz.co.jp/news/?p=1386"}], "sourceIdentifier": "vultures@jpcert.or.jp", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-434"}], "source": "vultures@jpcert.or.jp", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.6.6]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "MATCHA INVOICE", "source": "cna", "vendor": "ICZ Corporation"}, "product": "matcha_invoice", "vendor": "icz"}], "analysis": {"en": {"generated_at": "2026-04-08T06:20:40.873092+00:00", "value": {"mitigation_remediation": ["Apply the latest vendor patch for MATCHA INVOICE if available.", "If no patch is available, restrict file upload functionality or enforce allowed file types.", "Audit the application to ensure only authorized administrators can upload files.", "Monitor server logs for unexpected file uploads.", "Regularly review administrator credentials and enforce strong password policies."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "ICZ Corporation\u2019s MATCHA INVOICE is affected, specifically all releases up to and including version 2.6.6. Systems running the product in those versions are at risk whenever an administrator has the ability to upload files.", "description_and_impact": "An unrestricted file upload vulnerability exists in MATCHA INVOICE versions 2.6.6 and earlier, allowing an administrator to upload a file with a dangerous type. Once uploaded, the attacker can place malicious files on the server, potentially leading to execution of arbitrary code. This flaw is categorized as CWE\u2011434 and directly threatens confidentiality, integrity, and availability.", "risk_and_exploitability": "With a CVSS score of 5.1, the vulnerability represents moderate severity. No EPSS score is reported and the flaw is not listed in CISA's KEV catalog, suggesting a lower likelihood of current exploitation. The likely attack vector hinges on an attacker obtaining administrative access or leveraging an administrative user having file\u2011upload capabilities. Once the file is uploaded, execution can occur without additional privilege escalation."}}}}, "created": "2026-04-08T19:33:18.902717+00:00", "title": "Unrestricted File Upload Leading to Arbitrary Code Execution in MATCHA INVOICE", "updated": "2026-04-08T19:43:55.197238+00:00", "vendors": ["icz", "icz$PRODUCT$matcha_invoice"]}