Skip to main content

Invoice System in Laravel EUVDEUVD-2026-25782

| CVE-2026-7093 LOW
Improper Authorization (CWE-285)
2026-04-27 VulDB
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

8
Severity Changed
Apr 29, 2026 - 01:12 NVD
MEDIUM LOW
CVSS changed
Apr 29, 2026 - 01:12 NVD
5.3 (MEDIUM) 2.1 (LOW)
PoC Detected
Apr 29, 2026 - 01:00 vuln.today
Public exploit code
CVSS changed
Apr 27, 2026 - 07:22 NVD
6.3 (MEDIUM) 5.3 (MEDIUM)
Analysis Generated
Apr 27, 2026 - 06:45 vuln.today
EUVD ID Assigned
Apr 27, 2026 - 06:30 euvd
EUVD-2026-25782
Analysis Generated
Apr 27, 2026 - 06:30 vuln.today
CVE Published
Apr 27, 2026 - 06:00 nvd
LOW 2.1

DescriptionCVE.org

A vulnerability was found in code-projects Invoice System in Laravel 1.0. Affected by this vulnerability is an unknown functionality of the file /invoice/ of the component Invoice Endpoint. Performing a manipulation of the argument ID results in improper authorization. The attack is possible to be carried out remotely. The exploit has been made public and could be used.

AnalysisAI

Code-Projects Invoice System in Laravel 1.0 allows authenticated remote attackers to bypass authorization controls via manipulation of the ID parameter in the /invoice/ endpoint, enabling unauthorized access to invoice data with potential for modification and denial of service. The vulnerability has publicly available exploit code and is actively exploitable against default configurations.

Technical ContextAI

The vulnerability exists in the Invoice Endpoint component at the /invoice/ URI path within the Laravel-based Invoice System. It represents an improper authorization flaw (CWE-285) where user-supplied ID parameters are not properly validated or authorized before processing invoice-related operations. The attack leverages the REST endpoint's failure to enforce proper access controls on individual resource identifiers, allowing an authenticated user to access or manipulate invoice records beyond their authorization scope. This is a common pattern in Laravel applications where route model binding or manual authorization checks are inadequately implemented.

RemediationAI

The vendor (code-projects.org) has not published a publicly confirmed patched version at the time of analysis. Immediate remediation requires implementing proper authorization checks in the /invoice/ endpoint to validate that authenticated users can only access invoice records they are authorized to view or modify. Specifically, add authorization logic using Laravel's built-in Gate or Policy mechanisms to verify user ownership or role-based access before returning or modifying invoice data based on the ID parameter. As a temporary compensating control, restrict invoice endpoint access to specific user roles or IP ranges, and implement detailed audit logging on invoice access and modification to detect unauthorized access attempts. Additionally, enforce multi-factor authentication for all user accounts with invoice access to reduce the risk of credential compromise enabling this attack. Monitor invoice access patterns for anomalous ID parameter manipulation. Contact code-projects.org directly for patch availability or timeline.

Share

EUVD-2026-25782 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy