Description
Wecodex Restaurant CMS 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the username parameter. Attackers can send POST requests to the login endpoint with malicious SQL payloads using boolean-based blind or time-based blind techniques to extract sensitive database information.
Published: 2026-03-26
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated SQL Injection permitting data extraction
Action: Patch Now
AI Analysis

Impact

The flaw is a classic SQL injection in the login function of Wecodex Restaurant CMS 1.0. Attackers can insert malicious SQL through the username field when submitting a POST request, causing the application to execute unintended queries. This enables unauthenticated users to read sensitive database contents using boolean‑based blind or time‑based techniques. The weakness aligns with CWE‑89 and can compromise confidentiality of stored data.

Affected Systems

All installations of Wecodex Restaurant CMS version 1.0 that expose the login page to the public are vulnerable. No other product versions have been reported to be affected.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity. The EPSS score of less than 1% suggests exploitations are uncommon in the wild, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is sending crafted POST requests to the publicly exposed login endpoint; this inference is made because no other direct attack path is described in the data. An attacker who succeeds can read any data stored in the CMS database, potentially leading to privacy breaches and reputational damage.

Generated by OpenCVE AI on March 28, 2026 at 06:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a vendor patch or upgrade to a non‑vulnerable version of Wecodex Restaurant CMS 1.0 if available.
  • If no update exists, restrict access to the login page by configuring firewall rules or placing it behind a web‑application firewall to limit exposure to the public internet.
  • Monitor web server logs for anomalous POST requests to the login endpoint and alert on suspicious activity.
  • Implement input validation or use parameterized queries to prevent SQL injection through the username field if custom development is possible.

Generated by OpenCVE AI on March 28, 2026 at 06:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 28 Mar 2026 03:15:00 +0000

Type Values Removed Values Added
First Time appeared Wecodex restaurant Cms
CPEs cpe:2.3:a:wecodex:restaurant_cms:1.0:*:*:*:*:*:*:*
Vendors & Products Wecodex restaurant Cms

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Wecodex
Wecodex wecodex Restaurant Cms
Vendors & Products Wecodex
Wecodex wecodex Restaurant Cms

Thu, 26 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
Description Wecodex Restaurant CMS 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the username parameter. Attackers can send POST requests to the login endpoint with malicious SQL payloads using boolean-based blind or time-based blind techniques to extract sensitive database information.
Title Wecodex Restaurant CMS 1.0 SQL Injection via Login
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Wecodex Restaurant Cms Wecodex Restaurant Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-26T13:38:07.688Z

Reserved: 2026-03-06T11:54:43.500Z

Link: CVE-2018-25185

cve-icon Vulnrichment

Updated: 2026-03-26T13:38:03.575Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-26T12:16:04.270

Modified: 2026-03-27T21:00:41.613

Link: CVE-2018-25185

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-29T20:27:58Z

Weaknesses