CVE-2026-33273
Published: 08 April 2026
Summary
CVE-2026-33273 is a medium-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Icz Matcha Invoice. Its CVSS base score is 5.1 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Ingress Tool Transfer (T1105); ranked at the 17.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-9 (Information Input Restrictions).
Deeper analysis
CVE-2026-33273 is an unrestricted upload of file with dangerous type vulnerability, classified under CWE-434, affecting MATCHA INVOICE versions 2.6.6 and earlier. This flaw enables the creation of arbitrary files through improper validation of uploaded file types.
The vulnerability can be exploited by an administrator of the product, who requires high privileges (PR:H) but can attack over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Successful exploitation allows the creation of an arbitrary file on the server, potentially leading to arbitrary code execution, with high impacts on confidentiality, integrity, and availability (CVSS:3.1 score of 7.2; S:U).
Mitigation details are provided in advisories from JVN at https://jvn.jp/en/jp/JVN33581068/ and the vendor at https://oss.icz.co.jp/news/?p=1386.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-20054
Vulnerability details
Unrestricted upload of file with dangerous type issue exists in MATCHA INVOICE 2.6.6 and earlier. If this vulnerability is exploited, an arbitrary file may be created by an administrator of the product. As a result, arbitrary code may be executed…
more
on the server.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unrestricted file upload (CWE-434) directly enables adversaries with admin access to transfer arbitrary malicious files onto the server (T1105) and deploy web shells for code execution/persistence (T1505.003).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the unrestricted upload vulnerability by validating uploaded file types and content to prevent dangerous files from being created on the server.
Restricts the types of files that administrators can upload, mitigating the ability to create arbitrary dangerous files leading to code execution.
Limits system functionality to essentials, restricting or prohibiting unrestricted file upload capabilities that enable arbitrary file creation.