CVE-2025-66370

Name of the Vulnerable Software and Affected Versions Kivitendo versions prior to 3.9.2

Description Kivitendo is susceptible to an XML External Entity (XXE) injection. An attacker can exploit this by uploading an electronic invoice in the ZUGFeRD format, potentially allowing them to read and exfiltrate files from the server's filesystem. XXE injection occurs when an application parses XML input that contains a reference to an external entity. This can allow an attacker to access sensitive information or execute arbitrary code on the server.

Recommendations Update Kivitendo to version 3.9.2 or later.