Description
A vulnerability was identified in yashpokharna2555 restaurent-management-system. This affects an unknown function of the file /forgotpassword.php of the component POST Parameter Handler. Such manipulation of the argument email leads to sql injection. The attack can be launched remotely. The exploit is publicly available and might be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-06-28
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A POST parameter named email in the forgotpassword.php file of the yashpokharna2555 restaurant-management-system allows attackers to inject arbitrary SQL commands. Through specially crafted requests the vulnerability can be triggered remotely, giving the attacker read or write access to the database and potentially enabling full application compromise. The weakness is a classic SQL injection flaw that jeopardizes data confidentiality and integrity.

Affected Systems

The flaw resides in the REST restaurant-management-system application, with no versioning information available. Consequently, all deployments of this system are considered vulnerable until a fix is applied or the project releases an updated version.

Risk and Exploitability

The CVSS score of 6.9 indicates a medium‑high risk level. EPSS data is unavailable, but the vulnerability is publicly exploitable and not listed in the CISA KEV catalog. Attackers can launch the exploit from any remote host, making the threat immediate for exposed installations.

Generated by OpenCVE AI on June 28, 2026 at 14:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to a patched release of the restaurant-management-system once the maintainers provide one, or replace the source with a stable fork that addresses the issue.
  • Validate the email POST parameter against a strict email format and rewrite the database query to use prepared statements or parameterized SQL, eliminating the injection surface.
  • Deploy a web application firewall rule or equivalent input filtering that blocks suspicious SQL patterns targeting the /forgotpassword.php endpoint to stop exploitation while a patch is applied.

Generated by OpenCVE AI on June 28, 2026 at 14:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 28 Jun 2026 13:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was identified in yashpokharna2555 restaurent-management-system. This affects an unknown function of the file /forgotpassword.php of the component POST Parameter Handler. Such manipulation of the argument email leads to sql injection. The attack can be launched remotely. The exploit is publicly available and might be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The project was informed of the problem early through an issue report but has not responded yet.
Title yashpokharna2555 restaurent-management-system POST Parameter forgotpassword.php sql injection
First Time appeared Yashpokharna2555
Yashpokharna2555 restaurent-management-system
Weaknesses CWE-74
CWE-89
CPEs cpe:2.3:a:yashpokharna2555:restaurent-management-system:*:*:*:*:*:*:*:*
Vendors & Products Yashpokharna2555
Yashpokharna2555 restaurent-management-system
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Yashpokharna2555 Restaurent-management-system
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-28T13:00:08.806Z

Reserved: 2026-06-27T18:10:42.883Z

Link: CVE-2026-13498

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-28T14:45:17Z

Weaknesses
  • CWE-74

    Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')