EUVD-2026-25810Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
A vulnerability was detected in code-projects Invoice System in Laravel 1.0. This impacts an unknown function of the file /item of the component API Endpoint. Performing a manipulation results in improper authorization. It is possible to initiate the attack remotely. The exploit is now public and may be used.
AnalysisAI
Improper authorization in code-projects Invoice System in Laravel 1.0 allows remote unauthenticated attackers to bypass authentication and access the /item API endpoint, resulting in limited confidentiality impact. The vulnerability has a CVSS score of 5.5 (network-accessible, low attack complexity, no privileges required), and publicly available exploit code exists, increasing real-world risk despite the moderate base score.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | No special conditions - remote unauthenticated exploitation against the default or any configuration of the /item API endpoint in code-projects Invoice System in Laravel 1.0. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | CVSS v4.0 score of 5.5 with AV:N/AC:L/PR:N indicates this is a remotely exploitable vulnerability requiring no special privileges or user interaction, placing it in the moderate-to-low severity band. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker can craft a simple HTTP GET or POST request to the /item endpoint of a code-projects Invoice System instance (e.g., https://target.com/item or similar path) without providing credentials, and the endpoint fails to enforce authorization checks, returning confidential invoice item data. The attacker leverages the publicly available POC exploit code (available on GitHub Gist at https://gist.github.com/higordiego/579622f7596354ade69e235b8e1cb88b) to automate data extraction, such as item prices, descriptions, or quantities, for business intelligence or fraud purposes. |
| Remediation | The primary remediation is to upgrade code-projects Invoice System to a patched version once available from the vendor at https://code-projects.org/. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Share
External POC / Exploit Code
Leaving vuln.today