Skip to main content

code-projects Invoice System CVE-2026-7108

| EUVDEUVD-2026-25805 LOW
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-04-27 cna@vuldb.com
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

6
Severity Changed
Apr 29, 2026 - 01:12 NVD
MEDIUM LOW
CVSS changed
Apr 29, 2026 - 01:12 NVD
5.3 (MEDIUM) 2.1 (LOW)
Analysis Generated
Apr 27, 2026 - 09:32 vuln.today
EUVD ID Assigned
Apr 27, 2026 - 09:22 euvd
EUVD-2026-25805
Analysis Generated
Apr 27, 2026 - 09:22 vuln.today
CVE Published
Apr 27, 2026 - 09:16 nvd
LOW 2.1

DescriptionCVE.org

A security vulnerability has been detected in code-projects Invoice System in Laravel 1.0. This affects an unknown function. Such manipulation leads to cross-site request forgery. The attack may be performed from remote. The exploit has been disclosed publicly and may be used.

AnalysisAI

Cross-site request forgery (CSRF) in code-projects Invoice System 1.0 for Laravel allows remote attackers to perform unauthorized actions via crafted requests. The vulnerability requires user interaction (clicking a malicious link) but affects the system's integrity through unvalidated state-changing operations. Exploit code is publicly available, and the CVSS 5.3 score reflects moderate severity with limited integrity impact but no confidentiality or availability harm.

Technical ContextAI

This is a CSRF vulnerability (CWE-352) in a Laravel-based invoice management application. CSRF attacks exploit the trust relationship between a user's browser and a web application by forcing the browser to submit unauthorized requests to the application on behalf of the authenticated user. The vulnerability exists in an unknown function within the Invoice System, suggesting missing CSRF token validation or improper implementation of same-origin policy protections. Laravel provides built-in CSRF middleware (token generation and validation via the _token parameter), but this application either disables it for certain endpoints or fails to apply it correctly. The attack vector is network-based (AV:N) with low complexity (AC:L), and critically requires user interaction (UI:P), typically clicking a link or viewing a malicious webpage while authenticated.

RemediationAI

Apply CSRF protection by ensuring all state-changing endpoints (POST, PUT, DELETE, PATCH) validate Laravel's CSRF token via the middleware stack. The primary fix requires patching the unknown vulnerable function to include CSRF token validation using Laravel's built-in @csrf Blade directive in forms and verifying tokens server-side. No specific patched version is available from vendor sources at time of analysis. As a compensating control, implement SameSite=Strict or SameSite=Lax cookie attribute on session tokens to prevent browsers from sending credentials on cross-origin requests; note this requires users on modern browsers and does not fully replace token validation. Additionally, implement Content Security Policy (CSP) headers to restrict the origins from which forms can be submitted. For immediate risk reduction, disable or restrict access to identified vulnerable invoice endpoints until patches are deployed, though this impacts business functionality.

Share

CVE-2026-7108 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy