CVE-2026-9410 - Vulnerability Details

Description

A vulnerability has been found in Sushmi-pal Invoice-System up to a0a3faa16dee2621b231ae227333f5761607283b. This vulnerability affects unknown code of the file /profile of the component Profile Workflow. Such manipulation of the argument ID leads to improper authorization. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The vendor was contacted early about this disclosure but did not respond in any way.

Published: 2026-05-25

Score: 5.3 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability allows an attacker to manipulate the argument ID in the /profile endpoint to obtain another user’s profile data. This improper authorization can be performed remotely by sending a crafted HTTP request, enabling the attacker to read sensitive information intended for other users. The weakness is classified under CWE-266 and CWE-285, indicating an authorization bypass through insufficient privilege checks.

Affected Systems

Sushmi-pal Invoice-System, all released builds prior to the last known commit a0a3faa16dee2621b231ae227333f5761607283b. Version details are unavailable because the product uses rolling releases, and no patch or updated release has been publicly released.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate impact. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. The attack can be launched remotely by manipulating the ID parameter; no special network permissions are required beyond reaching the web service. Because the vendor has not responded, the risk persists until a fix is supplied or a workaround is applied.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Sushmi-pal

Invoice-System

affected

Version	Status	Constraints
`a0a3faa16dee2621b231ae227333f5761607283b`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Identify whether the system is running Sushmi-pal Invoice-System and check if it matches the vulnerable commit
If an updated release with the authorization fix is available, upgrade immediately; if not, implement a temporary safeguard by restricting the /profile endpoint to authenticated users and verifying that the requested ID matches the logged‑in user or an authorized role
Add input validation and range checks on the ID parameter to prevent arbitrary access to other users’ profiles
Configure audit logging for /profile access attempts and set up alerts for repeated unauthorized access patterns

Generated by OpenCVE AI on May 25, 2026 at 02:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://gist.github.com/c4ttr4ck/c35c134709743deb7dfad5b878295402
https://vuldb.com/submit/813606
https://vuldb.com/vuln/365391
https://vuldb.com/vuln/365391/cti

History

Mon, 25 May 2026 01:30:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability has been found in Sushmi-pal Invoice-System up to a0a3faa16dee2621b231ae227333f5761607283b. This vulnerability affects unknown code of the file /profile of the component Profile Workflow. Such manipulation of the argument ID leads to improper authorization. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The vendor was contacted early about this disclosure but did not respond in any way.
Title		Sushmi-pal Invoice-System Profile Workflow profile improper authorization
First Time appeared		Sushmi-pal Sushmi-pal invoice-system
Weaknesses		CWE-266 CWE-285
CPEs		cpe:2.3:a:sushmi-pal:invoice-system::::::::
Vendors & Products		Sushmi-pal Sushmi-pal invoice-system
References		https://gist.github.com/c4ttr4ck/c35c134709743deb7dfad5b878295402 https://vuldb.com/submit/813606 https://vuldb.com/vuln/365391 https://vuldb.com/vuln/365391/cti
Metrics		cvssV2_0 `{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Sushmi-pal Invoice-system

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-05-25T00:30:10.127Z

Updated: 2026-05-25T00:30:10.127Z

Reserved: 2026-05-24T06:33:07.555Z

Link: CVE-2026-9410

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-25T02:30:14Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object