Skip to main content

code-projects Invoice System CVE-2026-7091

| EUVDEUVD-2026-25778 LOW
Improper Authorization (CWE-285)
2026-04-27 VulDB
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

8
Severity Changed
Apr 29, 2026 - 01:12 NVD
MEDIUM LOW
CVSS changed
Apr 29, 2026 - 01:12 NVD
5.3 (MEDIUM) 2.1 (LOW)
PoC Detected
Apr 29, 2026 - 01:00 vuln.today
Public exploit code
CVSS changed
Apr 27, 2026 - 07:22 NVD
6.3 (MEDIUM) 5.3 (MEDIUM)
Analysis Generated
Apr 27, 2026 - 06:45 vuln.today
EUVD ID Assigned
Apr 27, 2026 - 06:30 euvd
EUVD-2026-25778
Analysis Generated
Apr 27, 2026 - 06:30 vuln.today
CVE Published
Apr 27, 2026 - 05:30 nvd
LOW 2.1

DescriptionCVE.org

A flaw has been found in code-projects Invoice System in Laravel 1.0. This impacts an unknown function of the file /user of the component User Management Handler. This manipulation causes improper authorization. Remote exploitation of the attack is possible. The exploit has been published and may be used.

AnalysisAI

Improper authorization in code-projects Invoice System in Laravel 1.0 allows authenticated remote attackers to bypass access controls on the User Management Handler (/user endpoint), gaining unauthorized read, write, and availability impact. The vulnerability has a published exploit available and affects all versions of the affected product line.

Technical ContextAI

The vulnerability resides in the User Management Handler component of the Invoice System in Laravel framework, specifically in the /user file endpoint. The root cause is classified as CWE-285 (Improper Authorization), indicating the application fails to properly validate that users are authorized to perform requested actions on user resources. This is a classic broken access control flaw common in Laravel applications where route middleware or policy authorization checks are either missing or insufficiently restrictive. An authenticated user can manipulate requests to access or modify user data they should not have permission to access, bypassing the intended authorization boundaries.

RemediationAI

Contact code-projects to obtain a patched version addressing the authorization bypass. In the interim, implement the following compensating controls: (1) Apply web application firewall rules to restrict POST/PUT/DELETE requests to the /user endpoint to only administrative users based on IP reputation or role headers, though this may impact legitimate administrative access; (2) Enforce strict input validation and rate-limiting on the /user endpoint to slow automated exploitation; (3) Review and strengthen Laravel route middleware and authorization policies on the User Management Handler - ensure all CRUD operations include proper authorization checks (e.g., Gate::authorize or Policy classes) that verify the authenticated user's role and ownership before allowing access; (4) Implement request logging and alerting on unauthorized access attempts to the /user endpoint to detect active exploitation; (5) Restrict application access to trusted networks only via firewall or VPN if operationally feasible. Note: these controls do not remediate the underlying flaw and should be temporary pending a vendor patch.

Share

CVE-2026-7091 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy