Skip to main content

code-projects Invoice System EUVDEUVD-2026-25780

| CVE-2026-7092 LOW
Improper Authorization (CWE-285)
2026-04-27 VulDB
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

8
Severity Changed
Apr 29, 2026 - 01:12 NVD
MEDIUM LOW
CVSS changed
Apr 29, 2026 - 01:12 NVD
5.3 (MEDIUM) 2.1 (LOW)
PoC Detected
Apr 29, 2026 - 01:00 vuln.today
Public exploit code
CVSS changed
Apr 27, 2026 - 07:22 NVD
6.3 (MEDIUM) 5.3 (MEDIUM)
Analysis Generated
Apr 27, 2026 - 06:45 vuln.today
EUVD ID Assigned
Apr 27, 2026 - 06:30 euvd
EUVD-2026-25780
Analysis Generated
Apr 27, 2026 - 06:30 vuln.today
CVE Published
Apr 27, 2026 - 05:45 nvd
LOW 2.1

DescriptionCVE.org

A vulnerability has been found in code-projects Invoice System in Laravel 1.0. Affected is an unknown function of the file /profile/ of the component Profile Handler. Such manipulation of the argument ID leads to improper authorization. The attack can be executed remotely. The exploit has been disclosed to the public and may be used.

AnalysisAI

Improper authorization in code-projects Invoice System in Laravel 1.0 allows authenticated remote attackers to bypass access controls via manipulation of the ID parameter in the Profile Handler (/profile/ endpoint), leading to unauthorized read, modification, and denial of service impacts. Public exploit code is available, elevating real-world exploitation risk despite the moderate CVSS score of 6.3.

Technical ContextAI

The vulnerability exists in the Profile Handler component of the code-projects Invoice System, a Laravel-based application. The root cause is classified as CWE-285 (Improper Authorization), indicating insufficient access control checks on the ID parameter within the /profile/ endpoint. The attack manipulates this parameter to bypass authorization logic, allowing an authenticated user to access or modify profile data belonging to other users. This is a classic insecure direct object reference (IDOR) vulnerability, where insufficient validation of user-supplied input permits lateral privilege escalation within the application.

RemediationAI

Apply authorization controls to the /profile/ endpoint by implementing access checks that verify the authenticated user's ownership or explicit permission before returning or modifying profile data associated with the requested ID parameter. If a patched version is available from code-projects (verify at https://code-projects.org/), upgrade immediately. As a compensating control pending patch availability, implement middleware or route-level authorization checks using Laravel's built-in authorization features (e.g., Gate or Policy) to enforce that users can only access their own profile data; alternatively, log all /profile/ endpoint requests and implement rate limiting on failed authorization attempts to detect exploitation attempts. Note that compensating controls do not eliminate the vulnerability and should be paired with a vendor patch as soon as available.

Share

EUVD-2026-25780 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy