Description
A flaw has been found in code-projects Invoice System in Laravel 1.0. This impacts an unknown function of the file /user of the component User Management Handler. This manipulation causes improper authorization. Remote exploitation of the attack is possible. The exploit has been published and may be used.
Published: 2026-04-27
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized access through improper authorization
Action: Assess Impact
AI Analysis

Impact

A flaw in the User Management Handler of code-projects Invoice System in Laravel version 1.0 allows an attacker to manipulate the unknown function in the /user file, resulting in improper authorization. The vulnerability can be exploited remotely, enabling unauthorized actions by bypassing normal access controls. The impact is primarily the ability for an attacker to access or perform operations that they should not be allowed to execute.

Affected Systems

The affected product is code-projects Invoice System in Laravel, specifically version 1.0. No other versions or products are listed as impacted.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate risk; however, the EPSS score of less than 1 % suggests a very low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a remote web-based request to the /user endpoint, where the attacker can supply malicious input to trigger the improper authorization logic.

Generated by OpenCVE AI on April 28, 2026 at 04:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify that the application is not exposed to the public Internet or limit access to the /user endpoint to authenticated users only
  • Implement proper authorization checks in the code to enforce role-based access control and prevent privilege escalation
  • Apply the principle of least privilege for user roles and remove any default administrative privileges
  • Monitor audit logs for unexpected access patterns and block suspicious requests with firewall rules

Generated by OpenCVE AI on April 28, 2026 at 04:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Code-projects
Code-projects invoice System In Laravel
Vendors & Products Code-projects
Code-projects invoice System In Laravel

Mon, 27 Apr 2026 11:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 27 Apr 2026 06:30:00 +0000

Type Values Removed Values Added
Description A flaw has been found in code-projects Invoice System in Laravel 1.0. This impacts an unknown function of the file /user of the component User Management Handler. This manipulation causes improper authorization. Remote exploitation of the attack is possible. The exploit has been published and may be used.
Title code-projects Invoice System in Laravel User Management user improper authorization
Weaknesses CWE-266
CWE-285
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Code-projects Invoice System In Laravel
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-27T11:11:09.139Z

Reserved: 2026-04-26T08:48:57.607Z

Link: CVE-2026-7091

cve-icon Vulnrichment

Updated: 2026-04-27T11:11:05.274Z

cve-icon NVD

Status : Deferred

Published: 2026-04-27T07:16:04.343

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-7091

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T05:00:14Z

Weaknesses