CVE-2026-0649 | invoiceninja up to 5.12.38 Migration Import Import.php copy company_logo server-side request forgery

A vulnerability identified as critical has been detected in invoiceninja up to 5.12.38. The affected element is the function copy of the file /app/Jobs/Util/Import.php of the component Migration Import. The manipulation of the argument company_logo leads to server-side request forgery.

This vulnerability is traded as CVE-2026-0649. It is possible to initiate the attack remotely. Furthermore, there is an exploit available.

The vendor was contacted early about this disclosure but did not respond in any way.

CVE-2026-0649 | invoiceninja up to 5.12.38 Migration Import Import.php copy company_logo server-side request forgery

Post correlati

CVE-2024-25285 | Redsys 3DSecure 2.0 threeDSMethodNotificationURL cross site scripting

CVE-2024-43033 | JPress up to 5.1.1 on Windows AttachmentController unrestricted upload (Issue 188)

CVE-2023-49197 | Apasionados DoFollow Case by Case Plugin up to 3.4.2 on WordPress cross-site request forgery

CVE-2025-41729 | Janitza UMG 96-PA/UMG 96-PA-MID+ up to 3.53 Modbus improper validation of specified type of input (VDE-2025-094)