CVE-2026-7110

Vulnerability

Overview

A DOM-based Cross-Site Scripting (XSS) vulnerability exists in the Invoice System in Laravel 1.0, a project by code-projects [2]. The flaw resides in the invoice item rendering logic, where JavaScript uses innerHTML to inject item names and descriptions into the DOM without sanitization. This allows an attacker to supply malicious payloads via the item name or description fields, leading to script execution in the browser of any user who views the invoice form [1].

Attack

Vector

The vulnerability is remotely exploitable without authentication. An attacker can exploit the /item endpoint to manipulate the item name or description fields. The provided payload "><img src=x onerror=alert(document.domain)> demonstrates how the browser executes arbitrary JavaScript when the malicious content is rendered via innerHTML [1]. No special network position is required; the attack can be carried out by any user able to submit data to the vulnerable endpoint.

Impact

Successful exploitation allows arbitrary JavaScript execution in the context of the application's origin. This can lead to theft of CSRF tokens, session cookies, and unauthorized modification of the invoice form's content in the victim's browser, affecting both confidentiality and integrity [1].

Mitigation

As of this writing, the vulnerability remains unpatched. The recommended mitigations include replacing innerHTML with textContent or innerText, implementing proper output encoding, and using auto-escaping client-side templating [1]. Organizations using this software should apply these fixes or consider alternative solutions until an official patch is released.