CVE-2026-7092 - Vulnerability Details

- code-projects Invoice System in Laravel Profile profile improper authorization

Description

A vulnerability has been found in code-projects Invoice System in Laravel 1.0. Affected is an unknown function of the file /profile/ of the component Profile Handler. Such manipulation of the argument ID leads to improper authorization. The attack can be executed remotely. The exploit has been disclosed to the public and may be used.

Published: 2026-04-27

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A flaw in the Invoice System in Laravel allows an attacker to manipulate the ID argument in the /profile/ endpoint, causing the application to fail at checking that the requested profile belongs to the authenticated user. This results in unauthorized access to other users’ profile data or potentially enabling modification of sensitive information. The weakness is a classic case of improper authorization (CWE-266, CWE-285), and the bug can be triggered remotely via crafted URL parameters or API calls.

Affected Systems

The vulnerability affects code-projects Invoice System in Laravel, version 1.0. No additional affected versions were identified in the available data.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate impact, while the EPSS score of less than 1% suggests a low likelihood of exploit in the wild. The vulnerability is not listed in CISA’s KEV catalog, implying no known public exploits. Attackers can exploit the flaw remotely by sending crafted requests to the /profile/ path without needing elevated privileges. The primary risk is unauthorized data disclosure or modification through breached authorization checks.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

code-projects

Invoice System in Laravel

affected

Version	Status	Constraints
`1.0`	affected	—

No data.

Vendor Product Confidence Versions

Code-projects

Invoice System In Laravel

100%

Version	Status	Scheme	Platform
`1.0`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Check the vendor’s website or repository for an updated release that addresses the /profile/ authorization flaw and install it promptly.
Modify the application’s authorization logic so that the ID parameter is validated against the authenticated user’s account before granting access to profile data.
Enable application and server logs to monitor for suspicious access attempts to the /profile/ endpoint and configure intrusion detection rules to flag repeated unauthorized ID manipulations.

Generated by OpenCVE AI on April 28, 2026 at 04:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.0004.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://code-projects.org/
https://gist.github.com/higordiego/9b5f076d7f651e45c0f30ae14bab3b4e
https://vuldb.com/submit/800388
https://vuldb.com/vuln/359667
https://vuldb.com/vuln/359667/cti

History

Wed, 29 Apr 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 27 Apr 2026 20:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Code-projects Code-projects invoice System In Laravel
Vendors & Products		Code-projects Code-projects invoice System In Laravel

Mon, 27 Apr 2026 06:30:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability has been found in code-projects Invoice System in Laravel 1.0. Affected is an unknown function of the file /profile/ of the component Profile Handler. Such manipulation of the argument ID leads to improper authorization. The attack can be executed remotely. The exploit has been disclosed to the public and may be used.
Title		code-projects Invoice System in Laravel Profile profile improper authorization
Weaknesses		CWE-266 CWE-285
References		https://code-projects.org/ https://gist.github.com/higordiego/9b5f076d7f651e45c0f30ae14bab3b4e https://vuldb.com/submit/800388 https://vuldb.com/vuln/359667 https://vuldb.com/vuln/359667/cti
Metrics		cvssV2_0 `{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Code-projects Invoice System In Laravel

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-04-27T05:45:11.319Z

Updated: 2026-04-29T13:47:20.141Z

Reserved: 2026-04-26T08:49:01.930Z

Link: CVE-2026-7092

Vulnrichment

Updated: 2026-04-29T13:47:11.442Z

NVD

Status : Deferred

Published: 2026-04-27T07:16:04.547

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-7092

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-28T05:00:14Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object