Skip to main content

Indian Invoicing System CVE-2026-9412

| EUVD-2026-31613 LOW
Improper Access Control (CWE-284)
2026-05-25 VulDB GHSA-prjj-f47h-rrr3
Authentication Bypass Indian Invoicing System
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
Jun 08, 2026 - 13:09 vuln.today
Severity Changed
May 26, 2026 - 19:37 NVD
MEDIUM LOW
CVSS changed
May 26, 2026 - 19:37 NVD
6.3 (MEDIUM) 2.1 (LOW)

DescriptionCVE.org

A vulnerability was determined in SourceCodester Indian Invoicing System 1.0. Impacted is an unknown function of the component Backend Endpoint. Executing a manipulation can lead to improper access controls. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. Multiple endpoints are affected.

AnalysisAI

Improper access control across multiple backend endpoints in SourceCodester Indian Invoicing System 1.0 permits authenticated low-privilege users to reach restricted functionality beyond their authorization level. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N) confirms remote exploitation requiring only low-level credentials, with confidentiality, integrity, and availability all assessed at low impact across the vulnerable system. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privilege account credentials
Delivery
Authenticate to Indian Invoicing System remotely
Exploit
Craft requests targeting restricted backend endpoints
Execution
Bypass server-side access control checks
Impact
Access or modify unauthorized data/functions
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The attacker must hold a valid, authenticated low-privilege account on the Indian Invoicing System (PR:L per CVSS 4.0 vector) - unauthenticated exploitation is not supported by available data. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The overall risk is low-to-moderate in practice. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a low-privilege account on the Indian Invoicing System - such as a standard user or junior staff member - crafts HTTP requests targeting backend endpoints intended for higher-privilege roles (e.g., administrative or financial report endpoints). Leveraging the publicly available PoC from GitHub, the attacker submits requests to multiple restricted endpoints without triggering proper authorization checks, gaining read or write access to data or functions beyond their role. …
Remediation No vendor-released patch has been identified at time of analysis - the SourceCodester vendor has not published a security advisory or fixed release for Indian Invoicing System 1.0. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-9412 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy