Description
A flaw has been found in Sushmi-pal Invoice-System up to a0a3faa16dee2621b231ae227333f5761607283b. This affects an unknown part of the file /user of the component User Management Handler. This manipulation of the argument role causes improper authorization. It is possible to initiate the attack remotely. The exploit has been published and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-05-25
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the User Management Handler of Sushmi‑pal Invoice‑System allows remote manipulation of the role parameter to bypass authorization checks, enabling users to assume privileged roles. This improper authorization can result in unauthorized access to sensitive data and functions within the system.

Affected Systems

The vulnerability affects the Sushmi‑pal Invoice‑System, specifically the /user component of the User Management Handler. No specific version information is available because the product uses a rolling release model.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. EPSS is not available and the vulnerability is not listed in CISA KEV. Attackers can reach the vulnerable endpoint remotely and exploit the role manipulation to elevate privileges. The absence of a vendor patch or defined workaround increases the risk of exploitation.

Generated by OpenCVE AI on May 25, 2026 at 02:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Immediately review and restrict role assignment permissions within the system, ensuring only authorized administrators can modify user roles.
  • Apply network segmentation or firewall rules to limit external access to the /user endpoint and other sensitive APIs.
  • Contact the vendor to request security updates or workarounds, and monitor for any patches or advisories.
  • Implement logging and alerts for unusual role changes or unauthorized access attempts.

Generated by OpenCVE AI on May 25, 2026 at 02:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 25 May 2026 01:30:00 +0000

Type Values Removed Values Added
Description A flaw has been found in Sushmi-pal Invoice-System up to a0a3faa16dee2621b231ae227333f5761607283b. This affects an unknown part of the file /user of the component User Management Handler. This manipulation of the argument role causes improper authorization. It is possible to initiate the attack remotely. The exploit has been published and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way.
Title Sushmi-pal Invoice-System User Management user improper authorization
First Time appeared Sushmi-pal
Sushmi-pal invoice-system
Weaknesses CWE-266
CWE-285
CPEs cpe:2.3:a:sushmi-pal:invoice-system:*:*:*:*:*:*:*:*
Vendors & Products Sushmi-pal
Sushmi-pal invoice-system
References
Metrics cvssV2_0

{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Sushmi-pal Invoice-system
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-25T00:15:09.684Z

Reserved: 2026-05-24T06:33:03.830Z

Link: CVE-2026-9409

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-25T02:30:14Z

Weaknesses