{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-7093", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-04-26T08:49:04.816Z", "datePublished": "2026-04-27T06:00:16.743Z", "dateUpdated": "2026-04-27T12:28:25.623Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-27T06:00:16.743Z"}, "title": "code-projects Invoice System in Laravel Invoice Endpoint invoice improper authorization", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-285", "lang": "en", "description": "Improper Authorization"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-266", "lang": "en", "description": "Incorrect Privilege Assignment"}]}], "affected": [{"vendor": "code-projects", "product": "Invoice System in Laravel", "versions": [{"version": "1.0", "status": "affected"}], "modules": ["Invoice Endpoint"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in code-projects Invoice System in Laravel 1.0. Affected by this vulnerability is an unknown functionality of the file /invoice/ of the component Invoice Endpoint. Performing a manipulation of the argument ID results in improper authorization. The attack is possible to be carried out remotely. The exploit has been made public and could be used."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 6.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 6.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-04-26T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-04-26T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-04-26T10:54:17.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "c4ttr4ck (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/vuln/359668", "name": "VDB-359668 | code-projects Invoice System in Laravel Invoice Endpoint invoice improper authorization", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/359668/cti", "name": "VDB-359668 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/800389", "name": "Submit #800389 | code-projects Invoice System in Laravel 1.0 Invoice System in Laravel", "tags": ["third-party-advisory"]}, {"url": "https://gist.github.com/higordiego/1d1a2b84768e4f80c673bd27be32c256", "tags": ["exploit"]}, {"url": "https://code-projects.org/", "tags": ["product"]}], "tags": ["x_freeware"]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-27T12:28:17.198784Z", "id": "CVE-2026-7093", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T12:28:25.623Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-7093", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-27T12:28:17.198784Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T12:28:21.890Z"}}], "cna": {"tags": ["x_freeware"], "title": "code-projects Invoice System in Laravel Invoice Endpoint invoice improper authorization", "credits": [{"lang": "en", "type": "reporter", "value": "c4ttr4ck (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "affected": [{"vendor": "code-projects", "modules": ["Invoice Endpoint"], "product": "Invoice System in Laravel", "versions": [{"status": "affected", "version": "1.0"}]}], "timeline": [{"lang": "en", "time": "2026-04-26T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-04-26T02:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-04-26T10:54:17.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/vuln/359668", "name": "VDB-359668 | code-projects Invoice System in Laravel Invoice Endpoint invoice improper authorization", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/359668/cti", "name": "VDB-359668 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/800389", "name": "Submit #800389 | code-projects Invoice System in Laravel 1.0 Invoice System in Laravel", "tags": ["third-party-advisory"]}, {"url": "https://gist.github.com/higordiego/1d1a2b84768e4f80c673bd27be32c256", "tags": ["exploit"]}, {"url": "https://code-projects.org/", "tags": ["product"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in code-projects Invoice System in Laravel 1.0. Affected by this vulnerability is an unknown functionality of the file /invoice/ of the component Invoice Endpoint. Performing a manipulation of the argument ID results in improper authorization. The attack is possible to be carried out remotely. The exploit has been made public and could be used."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-285", "description": "Improper Authorization"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-266", "description": "Incorrect Privilege Assignment"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-27T06:00:16.743Z"}}}, "cveMetadata": {"cveId": "CVE-2026-7093", "state": "PUBLISHED", "dateUpdated": "2026-04-27T12:28:25.623Z", "dateReserved": "2026-04-26T08:49:04.816Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-04-27T06:00:16.743Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was found in code-projects Invoice System in Laravel 1.0. Affected by this vulnerability is an unknown functionality of the file /invoice/ of the component Invoice Endpoint. Performing a manipulation of the argument ID results in improper authorization. The attack is possible to be carried out remotely. The exploit has been made public and could be used."}], "id": "CVE-2026-7093", "lastModified": "2026-04-29T01:00:01.613", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.1, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-04-27T07:16:04.713", "references": [{"source": "cna@vuldb.com", "url": "https://code-projects.org/"}, {"source": "cna@vuldb.com", "url": "https://gist.github.com/higordiego/1d1a2b84768e4f80c673bd27be32c256"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/800389"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/359668"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/359668/cti"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-266"}, {"lang": "en", "value": "CWE-285"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "1.0"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Invoice System in Laravel", "source": "cna", "vendor": "code-projects"}, "product": "invoice_system_in_laravel", "vendor": "code-projects"}], "analysis": {"en": {"generated_at": "2026-04-28T04:46:56.722275+00:00", "value": {"mitigation_remediation": ["Ensure that the /invoice/ endpoint validates the authenticated user\u2019s permissions and only allows access to invoices owned by that user or authorized roles.", "Patch or upgrade the code\u2011projects Invoice System to a version where the ID\u2011based authorization check is fixed, if an official fix is released.", "Add network or application layer controls to block unauthenticated or unauthorized requests to the /invoice/ endpoint until a patch is applied."], "summary": {"action": "Assess Impact", "impact": "Improper Authorization"}, "threat_synthesis": {"affected_systems": "The vulnerability affects code-projects Invoice System in Laravel version 1.0. The affected component is the Invoice Endpoint, specifically the /invoice/ route that accepts an ID argument. No other versions or subcomponents were explicitly listed, so any installation of 1.0 is assumed vulnerable until patched.", "description_and_impact": "The flaw in the Invoice System in Laravel allows a remote attacker to manipulate the ID parameter in the /invoice/ endpoint, bypassing authorization checks and gaining unauthorized access to invoice data. The vulnerability is a typical example of improper authorization (CWE-266, CWE-285) where changing a request payload triggers an elevated access level that the application does not validate. An attacker could read or potentially modify confidential invoice information, which could lead to data disclosure and integrity compromises for affected users.", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate severity, but the EPSS score of less than 1\u202f% suggests only a very low probability of real-world exploitation at this time. The exploit has been made public, meaning the code to abuse the flaw is available, and the attack can be performed remotely by manipulating HTTP requests. The bug is not listed in the CISA KEV catalog, so there is no current evidence of active exploitation, but the combination of public exploit code and remote trigger warrants monitoring and mitigation."}}}}, "created": "2026-04-27T19:51:37.630123+00:00", "updated": "2026-04-28T05:00:14.730514+00:00", "vendors": ["code-projects", "code-projects$PRODUCT$invoice_system_in_laravel"]}