Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
8DescriptionCVE.org
A vulnerability has been found in code-projects Invoice System in Laravel 1.0. Affected is an unknown function of the file /profile/ of the component Profile Handler. Such manipulation of the argument ID leads to improper authorization. The attack can be executed remotely. The exploit has been disclosed to the public and may be used.
AnalysisAI
Improper authorization in code-projects Invoice System in Laravel 1.0 allows authenticated remote attackers to bypass access controls via manipulation of the ID parameter in the Profile Handler (/profile/ endpoint), leading to unauthorized read, modification, and denial of service impacts. Public exploit code is available, elevating real-world exploitation risk despite the moderate CVSS score of 6.3.
Technical ContextAI
The vulnerability exists in the Profile Handler component of the code-projects Invoice System, a Laravel-based application. The root cause is classified as CWE-285 (Improper Authorization), indicating insufficient access control checks on the ID parameter within the /profile/ endpoint. The attack manipulates this parameter to bypass authorization logic, allowing an authenticated user to access or modify profile data belonging to other users. This is a classic insecure direct object reference (IDOR) vulnerability, where insufficient validation of user-supplied input permits lateral privilege escalation within the application.
RemediationAI
Apply authorization controls to the /profile/ endpoint by implementing access checks that verify the authenticated user's ownership or explicit permission before returning or modifying profile data associated with the requested ID parameter. If a patched version is available from code-projects (verify at https://code-projects.org/), upgrade immediately. As a compensating control pending patch availability, implement middleware or route-level authorization checks using Laravel's built-in authorization features (e.g., Gate or Policy) to enforce that users can only access their own profile data; alternatively, log all /profile/ endpoint requests and implement rate limiting on failed authorization attempts to detect exploitation attempts. Note that compensating controls do not eliminate the vulnerability and should be paired with a vendor patch as soon as available.
More in Invoice System In Laravel
View allImproper authorization in code-projects Invoice System in Laravel 1.0 allows remote unauthenticated attackers to bypass
Code-Projects Invoice System in Laravel 1.0 allows authenticated remote attackers to bypass authorization controls via m
Improper authorization in code-projects Invoice System in Laravel 1.0 allows authenticated remote attackers to bypass ac
Cross-site scripting (XSS) in code-projects Invoice System in Laravel 1.0 allows authenticated remote attackers to injec
Same weakness CWE-285 – Improper Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25780