CVE-2025-10009

N/A Unknown
Published: September 22, 2025 Modified: April 15, 2026
View on NVD

Description

Incorrect handling of uploaded files in the admin "Restore" function in Invoice Ninja <= 5.11.72 allows attackers with admin credentials to execute arbitrary code on the server via uploaded .php files.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://github.com/invoiceninja/invoiceninja/commit/02151b570b226b4584a8e61b06b10be9366da3de
Source: db4dfee8-a97e-4877-bfae-eba6d14a2166

1 reference(s) from NVD

Quick Stats

CVSS v3 Score
N/A / 10.0
EPSS (Exploit Probability)
0.1%
32th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-434

Related CVEs

CVE-2026-7875 8.8
CVE-2026-42503 8.8
CVE-2026-29080 N/A
CVE-2026-23870 7.5
CVE-2026-21661 N/A