Description
A weakness has been identified in code-projects Invoice System in Laravel 1.0. The impacted element is an unknown function of the file /company. This manipulation of the argument logo causes unrestricted upload. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks.
Published: 2026-04-27
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unrestricted File Upload
Action: Patch
AI Analysis

Impact

The vulnerability resides in an unidentified function within the /company endpoint of code-projects Invoice System in Laravel. By manipulating the logo argument, an attacker can upload arbitrary files without any restriction. This flaw is a classic example of improper access control and file upload validation (CWE-284 and CWE-434). If a malicious file is accepted, it could potentially lead to remote code execution or facilitate further attacks against the system.

Affected Systems

The affected product is code-projects Invoice System in Laravel, version 1.0. No additional vendor or product variants are listed.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity, while the EPSS score of under 1% shows a very low current probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. The public exploit availability and remote attack vector increase concern, yet overall risk remains moderate due to the low EPSS.

Generated by OpenCVE AI on April 28, 2026 at 04:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a version of Invoice System in Laravel that contains the file‑upload fix.
  • Implement strict server‑side validation of uploaded files, checking MIME types and extensions before saving them.
  • Configure the application to reject all files that are not explicitly allowed, or disable the logo upload feature if it is not required.

Generated by OpenCVE AI on April 28, 2026 at 04:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
First Time appeared Code-projects
Code-projects invoice System In Laravel
Vendors & Products Code-projects
Code-projects invoice System In Laravel

Mon, 27 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 27 Apr 2026 09:15:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in code-projects Invoice System in Laravel 1.0. The impacted element is an unknown function of the file /company. This manipulation of the argument logo causes unrestricted upload. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks.
Title code-projects Invoice System in Laravel company unrestricted upload
Weaknesses CWE-284
CWE-434
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Code-projects Invoice System In Laravel
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-27T13:29:11.889Z

Reserved: 2026-04-26T14:44:56.135Z

Link: CVE-2026-7107

cve-icon Vulnrichment

Updated: 2026-04-27T13:09:40.116Z

cve-icon NVD

Status : Deferred

Published: 2026-04-27T09:16:03.320

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-7107

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T04:45:22Z

Weaknesses