Skip to main content

Indian Invoicing System CVE-2026-9414

| EUVD-2026-31616 LOW
Cross-site Scripting (XSS) (CWE-79)
2026-05-25 VulDB GHSA-9q6q-6fwh-p665
PHP XSS Indian Invoicing System
2.0
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.0 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jun 08, 2026 - 13:24 vuln.today
CVSS changed
May 26, 2026 - 19:37 NVD
3.5 (LOW) 2.0 (LOW)

DescriptionCVE.org

A security flaw has been discovered in SourceCodester Indian Invoicing System up to 0.x/1.0. The impacted element is an unknown function of the file /Invoicing/add_order.php of the component Invoice Template Render Database-Backed. The manipulation of the argument customer_name results in cross site scripting. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks.

AnalysisAI

Stored cross-site scripting in SourceCodester Indian Invoicing System versions 0.x and 1.0 allows a low-privileged authenticated attacker to inject malicious JavaScript via the customer_name parameter in /Invoicing/add_order.php, which is persisted to the database and executed in the browsers of users who subsequently view the rendered invoice template. A public proof-of-concept exploit is available on GitHub (gist by c4ttr4ck), though EPSS sits at only 0.03% (9th percentile) and the vulnerability is not listed in CISA KEV, indicating no confirmed widespread exploitation. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate with low-privilege account
Delivery
Submit crafted XSS payload in customer_name via /Invoicing/add_order.php
Exploit
Payload persisted to invoice database
Execution
Privileged user views or renders the invoice
Impact
Injected script executes in victim's browser session
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The attacker must hold a low-privilege authenticated session on the Indian Invoicing System application (confirmed by CVSS PR:L); unauthenticated exploitation is not possible based on the CVSS vector. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 base score of 2.0 accurately reflects a low-severity finding: the vector AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N confirms network reachability but requires low-privilege authentication (PR:L) and passive victim interaction (UI:P), with impact confined to low integrity on the vulnerable system only - no confidentiality breach, no availability impact, no scope change to subsequent systems. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated user with low-privilege access (e.g., a clerk or sales role) navigates to the add-order page and submits a new invoice with a crafted `customer_name` value containing a `<script>` payload, which is stored in the database without sanitization. When an administrator or another user later views or prints the invoice - a routine workflow - the stored script executes silently in their browser session, enabling session token theft, credential harvesting, or UI redressing. …
Remediation No vendor-released patch has been identified at time of analysis - no patched version number appears in NVD, VulDB, or EUVD data, and no vendor-issued security advisory was located beyond the SourceCodester product listing. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-49952 CRITICAL POC
9.3 Jun 15

Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
CVE-2026-49954 HIGH POC
8.6 Jun 15

Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a

CVE-2026-49768 CRITICAL
9.8 Jun 15

Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
CVE-2026-27053 CRITICAL
9.8 Jun 15

Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
CVE-2026-49104 CRITICAL
9.8 Jun 15

Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo

Share

CVE-2026-9414 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy