{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24913", "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "state": "PUBLISHED", "assignerShortName": "jpcert", "dateReserved": "2026-04-03T04:29:19.341Z", "datePublished": "2026-04-08T05:10:12.155Z", "dateUpdated": "2026-04-08T15:06:29.082Z"}, "containers": {"cna": {"affected": [{"vendor": "ICZ Corporation", "product": "MATCHA INVOICE", "versions": [{"version": "2.6.6 and earlier", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "SQL Injection vulnerability exists in MATCHA INVOICE 2.6.6 and earlier. If this vulnerability is exploited, information stored in the database may be obtained or altered by a user who can log in to the product."}], "problemTypes": [{"descriptions": [{"description": "Improper neutralization of special elements used in an SQL command ('SQL Injection')", "lang": "en-US", "cweId": "CWE-89", "type": "CWE"}]}], "references": [{"url": "https://oss.icz.co.jp/news/?p=1386"}, {"url": "https://jvn.jp/en/jp/JVN33581068/"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_0": {"version": "3.0", "baseSeverity": "HIGH", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}}, {"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV4_0": {"version": "4.0", "baseSeverity": "HIGH", "baseScore": 8.7, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}}], "providerMetadata": {"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert", "dateUpdated": "2026-04-08T05:10:12.155Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T15:06:21.413556Z", "id": "CVE-2026-24913", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T15:06:29.082Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24913", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-08T15:06:21.413556Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T15:06:24.434Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_0": {"version": "3.0", "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "baseScore": 8.7, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}], "affected": [{"vendor": "ICZ Corporation", "product": "MATCHA INVOICE", "versions": [{"status": "affected", "version": "2.6.6 and earlier"}]}], "references": [{"url": "https://oss.icz.co.jp/news/?p=1386"}, {"url": "https://jvn.jp/en/jp/JVN33581068/"}], "descriptions": [{"lang": "en", "value": "SQL Injection vulnerability exists in MATCHA INVOICE 2.6.6 and earlier. If this vulnerability is exploited, information stored in the database may be obtained or altered by a user who can log in to the product."}], "problemTypes": [{"descriptions": [{"lang": "en-US", "type": "CWE", "cweId": "CWE-89", "description": "Improper neutralization of special elements used in an SQL command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert", "dateUpdated": "2026-04-08T05:10:12.155Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24913", "state": "PUBLISHED", "dateUpdated": "2026-04-08T15:06:29.082Z", "dateReserved": "2026-04-03T04:29:19.341Z", "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "datePublished": "2026-04-08T05:10:12.155Z", "assignerShortName": "jpcert"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:icz:matcha_invoice:*:*:*:*:*:*:*:*", "matchCriteriaId": "4BF23003-709B-4C38-BD44-946DDD4D511C", "versionEndIncluding": "2.6.6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "SQL Injection vulnerability exists in MATCHA INVOICE 2.6.6 and earlier. If this vulnerability is exploited, information stored in the database may be obtained or altered by a user who can log in to the product."}], "id": "CVE-2026-24913", "lastModified": "2026-04-17T20:44:11.940", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "vultures@jpcert.or.jp", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "vultures@jpcert.or.jp", "type": "Secondary"}]}, "published": "2026-04-08T06:16:27.073", "references": [{"source": "vultures@jpcert.or.jp", "tags": ["Third Party Advisory"], "url": "https://jvn.jp/en/jp/JVN33581068/"}, {"source": "vultures@jpcert.or.jp", "tags": ["Vendor Advisory"], "url": "https://oss.icz.co.jp/news/?p=1386"}], "sourceIdentifier": "vultures@jpcert.or.jp", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "vultures@jpcert.or.jp", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.6.6]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "MATCHA INVOICE", "source": "cna", "vendor": "ICZ Corporation"}, "product": "matcha_invoice", "vendor": "icz"}], "analysis": {"en": {"generated_at": "2026-04-08T06:20:51.126400+00:00", "value": {"mitigation_remediation": ["Update MATCHA INVOICE to a version newer than 2.6.6 or apply the vendor\u2019s official patch. ", "If an immediate upgrade is not possible, restrict the database account used by the application to read\u2011only permissions and monitor for abnormal queries. ", "Consider isolating the application server behind a firewall and limiting external access to only necessary ports."], "summary": {"action": "Immediate Patch", "impact": "Database compromise via SQL injection"}, "threat_synthesis": {"affected_systems": "Products from ICZ Corporation called MATCHA INVOICE are affected, specifically all releases 2.6.6 and lower. No other versions are noted in the advisory.", "description_and_impact": "A classic SQL injection flaw exists in MATCHA INVOICE versions 2.6.6 and earlier, allowing an attacker with valid user credentials to inject arbitrary SQL. This can lead to reading sensitive data or modifying records, compromising the confidentiality and integrity of the stored information. The weakness is a classic injection bug (CWE\u201189).", "risk_and_exploitability": "The flaw carries a CVSS score of 8.7, placing it in the high\u2011severity range. EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog. The attack requires a valid login to the application, so it is most likely triggered by an authenticated user. Once authenticated, the attacker can execute the injection and retrieve or alter database contents without additional privileges."}}}}, "created": "2026-04-08T19:33:20.065563+00:00", "title": "SQL Injection in MATCHA INVOICE Prior to 2.6.6 Exposes Database", "updated": "2026-04-08T19:43:56.349701+00:00", "vendors": ["icz", "icz$PRODUCT$matcha_invoice"]}