CVE-2026-9412 - Vulnerability Details

Description

A vulnerability was determined in SourceCodester Indian Invoicing System 1.0. Impacted is an unknown function of the component Backend Endpoint. Executing a manipulation can lead to improper access controls. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. Multiple endpoints are affected.

Published: 2026-05-25

Score: 5.3 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability exists in the Backend Endpoint component of SourceCodester Indian Invoicing System 1.0 and allows an attacker to manipulate requests to subvert the normal access control checks. By sending crafted data to an affected endpoint, an attacker can gain authorization that should not be granted, enabling unauthorized data access or modification. The weakness is a classic improper access control flaw, identified as CWE‑266 and CWE‑284. No disclosed privilege escalation beyond the scope of the endpoint was noted, but the damage can extend to confidential financial information handled by the application.

Affected Systems

SourceCodester Indian Invoicing System version 1.0 is impacted. All backend endpoints that were reported to be vulnerable must be examined for similar control logic.

Risk and Exploitability

The flaw carries a CVSS base score of 5.3 and is considered moderately severe. EPSS information is not available and the vulnerability is not listed in the CISA KEV catalog. The attack can be performed remotely and the exploit is publicly disclosed, meaning attackers can readily use it. While the severity is moderate, the presence of multiple affected endpoints increases the overall exposure. An attacker with internet access to the application can potentially bypass authentication or authorization checks and alter data or access sensitive financial records.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

SourceCodester

Indian Invoicing System

affected

Version	Status	Constraints
`1.0`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply any vendor patch or upgrade to the latest version of Indian Invoicing System if released.
Limit network exposure of the backend endpoints by configuring firewall rules or network segmentation so that only authorized hosts can reach them.
Verify that each backend endpoint enforces strict authentication and role‑based authorization checks before processing the request.
If a patch is unavailable, implement application‑layer validation that confirms the user’s role and permissions for every protected operation.
Check the vendor’s website or security advisory feeds regularly for updates or public workarounds.

Generated by OpenCVE AI on May 25, 2026 at 02:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://gist.github.com/c4ttr4ck/db84fc2af3e542acf1eab685264bcfc1
https://vuldb.com/submit/813608
https://vuldb.com/vuln/365393
https://vuldb.com/vuln/365393/cti
https://www.sourcecodester.com/

History

Mon, 25 May 2026 01:30:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was determined in SourceCodester Indian Invoicing System 1.0. Impacted is an unknown function of the component Backend Endpoint. Executing a manipulation can lead to improper access controls. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. Multiple endpoints are affected.
Title		SourceCodester Indian Invoicing System Backend Endpoint access control
First Time appeared		Sourcecodester Sourcecodester indian Invoicing System
Weaknesses		CWE-266 CWE-284
CPEs		cpe:2.3:a:sourcecodester:indian_invoicing_system::::::::
Vendors & Products		Sourcecodester Sourcecodester indian Invoicing System
References		https://gist.github.com/c4ttr4ck/db84fc2af3e542acf1eab685264bcfc1 https://vuldb.com/submit/813608 https://vuldb.com/vuln/365393 https://vuldb.com/vuln/365393/cti https://www.sourcecodester.com/
Metrics		cvssV2_0 `{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Sourcecodester Indian Invoicing System

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-05-25T01:00:14.997Z

Updated: 2026-05-25T01:00:14.997Z

Reserved: 2026-05-24T06:38:32.106Z

Link: CVE-2026-9412

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-25T02:30:14Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object