CVE-2026-9410

MEDIUM

Sushmi-pal Invoice-System Profile Workflow profile improper authorization

Title source: cna

Description

A vulnerability has been found in Sushmi-pal Invoice-System up to a0a3faa16dee2621b231ae227333f5761607283b. This vulnerability affects unknown code of the file /profile of the component Profile Workflow. Such manipulation of the argument ID leads to improper authorization. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The vendor was contacted early about this disclosure but did not respond in any way.

References (4)

Core 4

Core References

Vdb Entry, Technical Description vdb-entry technical-description

VDB-365391 | Sushmi-pal Invoice-System Profile Workflow profile improper authorization

https://vuldb.com/vuln/365391

Signature, Permissions Required signature permissions-required

VDB-365391 | CTI Indicators (IOB, IOC, TTP, IOA)

https://vuldb.com/vuln/365391/cti

Third Party Advisory third-party-advisory

Submit #813606 | Sushmi-pal Invoice-System 1.0 Insecure Direct Object Reference (IDOR)

https://vuldb.com/submit/813606

Exploit exploit

https://gist.github.com/c4ttr4ck/c35c134709743deb7dfad5b878295402

Scores

CVSS v3 4.3

EPSS 0.0026

EPSS Percentile 16.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-266 CWE-285

Status published

Products (1)

Sushmi-pal/Invoice-System a0a3faa16dee2621b231ae227333f5761607283b

Published May 25, 2026

Tracked Since May 25, 2026