CVE-2025-10009

Summary

Incorrect handling of uploaded files in the admin "Restore" function in Invoice Ninja <= 5.11.72 allows attackers with admin credentials to execute arbitrary code on the server via uploaded .php files.

Affected Software

VendorProductVersion RangeStatus
Invoice NinjaInvoice Ninja 55.11.41 <= 5.11.72affected
Invoice NinjaInvoice Ninja 55.11.73 <= *unaffected

Weaknesses

  • CWE-434: CWE-434 Unrestricted Upload of File with Dangerous Type

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References