CVE-2026-7093 - Vulnerability Details

- code-projects Invoice System in Laravel Invoice Endpoint invoice improper authorization

Description

A vulnerability was found in code-projects Invoice System in Laravel 1.0. Affected by this vulnerability is an unknown functionality of the file /invoice/ of the component Invoice Endpoint. Performing a manipulation of the argument ID results in improper authorization. The attack is possible to be carried out remotely. The exploit has been made public and could be used.

Published: 2026-04-27

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The flaw in the Invoice System in Laravel allows a remote attacker to manipulate the ID parameter in the /invoice/ endpoint, bypassing authorization checks and gaining unauthorized access to invoice data. The vulnerability is a typical example of improper authorization (CWE-266, CWE-285) where changing a request payload triggers an elevated access level that the application does not validate. An attacker could read or potentially modify confidential invoice information, which could lead to data disclosure and integrity compromises for affected users.

Affected Systems

The vulnerability affects code-projects Invoice System in Laravel version 1.0. The affected component is the Invoice Endpoint, specifically the /invoice/ route that accepts an ID argument. No other versions or subcomponents were explicitly listed, so any installation of 1.0 is assumed vulnerable until patched.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, but the EPSS score of less than 1 % suggests only a very low probability of real-world exploitation at this time. The exploit has been made public, meaning the code to abuse the flaw is available, and the attack can be performed remotely by manipulating HTTP requests. The bug is not listed in the CISA KEV catalog, so there is no current evidence of active exploitation, but the combination of public exploit code and remote trigger warrants monitoring and mitigation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

code-projects

Invoice System in Laravel

affected

Version	Status	Constraints
`1.0`	affected	—

No data.

Vendor Product Confidence Versions

Code-projects

Invoice System In Laravel

100%

Version	Status	Scheme	Platform
`1.0`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Ensure that the /invoice/ endpoint validates the authenticated user’s permissions and only allows access to invoices owned by that user or authorized roles.
Patch or upgrade the code‑projects Invoice System to a version where the ID‑based authorization check is fixed, if an official fix is released.
Add network or application layer controls to block unauthenticated or unauthorized requests to the /invoice/ endpoint until a patch is applied.

Generated by OpenCVE AI on April 28, 2026 at 04:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.0004.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://code-projects.org/
https://gist.github.com/higordiego/1d1a2b84768e4f80c673bd27be32c256
https://vuldb.com/submit/800389
https://vuldb.com/vuln/359668
https://vuldb.com/vuln/359668/cti

History

Mon, 27 Apr 2026 20:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Code-projects Code-projects invoice System In Laravel
Vendors & Products		Code-projects Code-projects invoice System In Laravel

Mon, 27 Apr 2026 13:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 27 Apr 2026 06:30:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was found in code-projects Invoice System in Laravel 1.0. Affected by this vulnerability is an unknown functionality of the file /invoice/ of the component Invoice Endpoint. Performing a manipulation of the argument ID results in improper authorization. The attack is possible to be carried out remotely. The exploit has been made public and could be used.
Title		code-projects Invoice System in Laravel Invoice Endpoint invoice improper authorization
Weaknesses		CWE-266 CWE-285
References		https://code-projects.org/ https://gist.github.com/higordiego/1d1a2b84768e4f80c673bd27be32c256 https://vuldb.com/submit/800389 https://vuldb.com/vuln/359668 https://vuldb.com/vuln/359668/cti
Metrics		cvssV2_0 `{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Code-projects Invoice System In Laravel

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-04-27T06:00:16.743Z

Updated: 2026-04-27T12:28:25.623Z

Reserved: 2026-04-26T08:49:04.816Z

Link: CVE-2026-7093

Vulnrichment

Updated: 2026-04-27T12:28:21.890Z

NVD

Status : Deferred

Published: 2026-04-27T07:16:04.713

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-7093

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-28T05:00:14Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object