CVE-2025-10009

🗓️ 22 Sep 2025 09:20:03Reported by NCSC-FIType

Authenticated admin remote code execution in Invoice Ninja via Restore uploads up to 5.11.72.

Reporter	Title	Published	Views	Family All 9
Circl	CVE-2025-10009	22 Sep 202512:45	–	circl
CNNVD	Invoice Ninja 安全漏洞	22 Sep 202500:00	–	cnnvd
Cvelist	CVE-2025-10009 Authenticated admin RCE in Invoice Ninja	22 Sep 202509:20	–	cvelist
EUVD	EUVD-2025-30778	3 Oct 202520:07	–	euvd
NVD	CVE-2025-10009	22 Sep 202510:15	–	nvd
Positive Technologies	PT-2025-38704	22 Sep 202500:00	–	ptsecurity
RedhatCVE	CVE-2025-10009	24 Sep 202509:23	–	redhatcve
Snyk	Arbitrary File Upload	22 Sep 202509:41	–	snyk
Vulnrichment	CVE-2025-10009 Authenticated admin RCE in Invoice Ninja	22 Sep 202509:20	–	vulnrichment

[
  {
    "collectionURL": "https://github.com/invoiceninja/invoiceninja",
    "defaultStatus": "unaffected",
    "modules": [
      "Admin \"Restore\" function"
    ],
    "packageName": "invoiceninja",
    "platforms": [
      "Linux",
      "Windows",
      "64 bit"
    ],
    "product": "Invoice Ninja 5",
    "programFiles": [
      "https://github.com/invoiceninja/invoiceninja/blob/v5.11.72/app/Http/Controllers/ImportJsonController.php"
    ],
    "repo": "https://github.com/invoiceninja/invoiceninja",
    "vendor": "Invoice Ninja",
    "versions": [
      {
        "lessThanOrEqual": "5.11.72",
        "status": "affected",
        "version": "5.11.41",
        "versionType": "custom"
      },
      {
        "lessThanOrEqual": "*",
        "status": "unaffected",
        "version": "5.11.73",
        "versionType": "custom"
      }
    ]
  }
]

Source	Link
github	www.github.com/invoiceninja/invoiceninja/commit/02151b570b226b4584a8e61b06b10be9366da3de

17 Jun 2026 08:27Current

7.5High risk

Vulners AI Score7.5

CVSS 48.6

EPSS0.00469

SSVC

CWE-434