Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
8DescriptionCVE.org
A vulnerability was found in code-projects Invoice System in Laravel 1.0. Affected by this vulnerability is an unknown functionality of the file /invoice/ of the component Invoice Endpoint. Performing a manipulation of the argument ID results in improper authorization. The attack is possible to be carried out remotely. The exploit has been made public and could be used.
AnalysisAI
Code-Projects Invoice System in Laravel 1.0 allows authenticated remote attackers to bypass authorization controls via manipulation of the ID parameter in the /invoice/ endpoint, enabling unauthorized access to invoice data with potential for modification and denial of service. The vulnerability has publicly available exploit code and is actively exploitable against default configurations.
Technical ContextAI
The vulnerability exists in the Invoice Endpoint component at the /invoice/ URI path within the Laravel-based Invoice System. It represents an improper authorization flaw (CWE-285) where user-supplied ID parameters are not properly validated or authorized before processing invoice-related operations. The attack leverages the REST endpoint's failure to enforce proper access controls on individual resource identifiers, allowing an authenticated user to access or manipulate invoice records beyond their authorization scope. This is a common pattern in Laravel applications where route model binding or manual authorization checks are inadequately implemented.
RemediationAI
The vendor (code-projects.org) has not published a publicly confirmed patched version at the time of analysis. Immediate remediation requires implementing proper authorization checks in the /invoice/ endpoint to validate that authenticated users can only access invoice records they are authorized to view or modify. Specifically, add authorization logic using Laravel's built-in Gate or Policy mechanisms to verify user ownership or role-based access before returning or modifying invoice data based on the ID parameter. As a temporary compensating control, restrict invoice endpoint access to specific user roles or IP ranges, and implement detailed audit logging on invoice access and modification to detect unauthorized access attempts. Additionally, enforce multi-factor authentication for all user accounts with invoice access to reduce the risk of credential compromise enabling this attack. Monitor invoice access patterns for anomalous ID parameter manipulation. Contact code-projects.org directly for patch availability or timeline.
More in Invoice System In Laravel
View allImproper authorization in code-projects Invoice System in Laravel 1.0 allows remote unauthenticated attackers to bypass
Improper authorization in code-projects Invoice System in Laravel 1.0 allows authenticated remote attackers to bypass ac
Improper authorization in code-projects Invoice System in Laravel 1.0 allows authenticated remote attackers to bypass ac
Cross-site scripting (XSS) in code-projects Invoice System in Laravel 1.0 allows authenticated remote attackers to injec
Same weakness CWE-285 – Improper Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25782