JVN#33581068
Multiple vulnerabilities in MATCHA series

Overview

MATCHA series provided by ICZ Corporation contains multiple vulnerabilities.

Products Affected

CVE-2026-24913, CVE-2026-33273

• MATCHA INVOICE 2.6.6 and earlier

• MATCHA SNS 1.3.9 and earlier

Description

MATCHA series provided by ICZ Corporation contains multiple vulnerabilities listed below.

• SQL injection (CWE-89)
  • CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Base Score 8.7
  • CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Base Score 8.8
  • CVE-2026-24913
• Cross-site scripting (CWE-79)
  • CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N Base Score 5.1
  • CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Base Score 5.4
  • CVE-2026-27787
• Unrestricted upload of file with dangerous type（CWE-434）
  • CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N Base Score 5.1
  • CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L Base Score 4.7
  • CVE-2026-33273

Impact

• Information stored in the database may be obtained or altered by a user who can log in to the product (CVE-2026-24913)
• An arbitrary script may be executed on the web browser of the user who accessed the website using the product (CVE-2026-27787)
• An arbitrary file may be created by an administrator of the product. As a result, arbitrary code may be executed on the server (CVE-2026-33273)

Solution

Update the software
Update the software to the latest version according to the information provided by the developer.