Cyber Resilience

CVE-2026-33273

Medium

Published: 08 April 2026

Published
08 April 2026
Modified
17 April 2026
KEV Added
Patch
CVSS Score v4 5.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0006 17.9th percentile
Risk Priority 10 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-33273 is a medium-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Icz Matcha Invoice. Its CVSS base score is 5.1 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Ingress Tool Transfer (T1105); ranked at the 17.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-9 (Information Input Restrictions).

Deeper analysis

CVE-2026-33273 is an unrestricted upload of file with dangerous type vulnerability, classified under CWE-434, affecting MATCHA INVOICE versions 2.6.6 and earlier. This flaw enables the creation of arbitrary files through improper validation of uploaded file types.

The vulnerability can be exploited by an administrator of the product, who requires high privileges (PR:H) but can attack over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Successful exploitation allows the creation of an arbitrary file on the server, potentially leading to arbitrary code execution, with high impacts on confidentiality, integrity, and availability (CVSS:3.1 score of 7.2; S:U).

Mitigation details are provided in advisories from JVN at https://jvn.jp/en/jp/JVN33581068/ and the vendor at https://oss.icz.co.jp/news/?p=1386.

EU & UK References

Vulnerability details

Unrestricted upload of file with dangerous type issue exists in MATCHA INVOICE 2.6.6 and earlier. If this vulnerability is exploited, an arbitrary file may be created by an administrator of the product. As a result, arbitrary code may be executed…

more

on the server.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1105 Ingress Tool Transfer Command And Control
Adversaries may transfer tools or other files from an external system into a compromised environment.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Unrestricted file upload (CWE-434) directly enables adversaries with admin access to transfer arbitrary malicious files onto the server (T1105) and deploy web shells for code execution/persistence (T1505.003).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-41587Shared CWE-434
CVE-2025-6207Shared CWE-434
CVE-2024-50620Shared CWE-434
CVE-2025-12171Shared CWE-434
CVE-2025-26325Shared CWE-434
CVE-2025-6079Shared CWE-434
CVE-2024-13448Shared CWE-434
CVE-2025-51056Shared CWE-434
CVE-2025-66256Shared CWE-434
CVE-2026-32523Shared CWE-434

Affected Assets

icz
matcha invoice
≤ 2.6.6

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the unrestricted upload vulnerability by validating uploaded file types and content to prevent dangerous files from being created on the server.

prevent

Restricts the types of files that administrators can upload, mitigating the ability to create arbitrary dangerous files leading to code execution.

prevent

Limits system functionality to essentials, restricting or prohibiting unrestricted file upload capabilities that enable arbitrary file creation.

References