CVE-2026-1600 - Vulnerability Details

- Bdtask Bhojon All-In-One Restaurant Management System Add-to-Cart Submission Endpoint addtocart logic error

Description

A vulnerability was identified in Bdtask Bhojon All-In-One Restaurant Management System up to 20260116. The impacted element is an unknown function of the file /hungry/addtocart of the component Add-to-Cart Submission Endpoint. The manipulation of the argument price/allprice leads to business logic errors. The attack can be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

Published: 2026-01-29

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A flaw in the /hungry/addtocart endpoint of Bdtask's Bhojon All‑In‑One Restaurant Management System allows attackers to manipulate the "price" and "allprice" arguments, causing the server to accept out‑of‑range or falsified pricing. The backend logic trusts these client‑supplied values without adequate server‑side validation, which can result in improper billing, fraudulent orders, and loss of revenue. This defect is categorized as CWE‑840, a business‑logic error that stems from incorrect assumption about trusted data.

Affected Systems

The vulnerability impacts Bdtask's Bhojon All‑In‑One Restaurant Management System in all releases up to and including 20260116. No later versions have been confirmed to contain the flaw, but users should verify that they are running a version released after this date.

Risk and Exploitability

The CVSS base score is 5.3, indicating moderate severity, while the EPSS score is below 1 %, reflecting a low yet non‑zero likelihood of exploitation. The flaw is not listed in CISA's KEV catalog. Attackers can exploit it remotely by submitting crafted add‑to‑cart requests that alter price values, thereby bypassing intended pricing rules and potentially generating incorrect charges. Because the issue primarily affects business logic and financial accuracy rather than enabling code execution or denial of service, its impact depends on the system’s reliance on accurate billing and customer trust.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Bdtask

Bhojon All-In-One Restaurant Management System

affected

Version	Status	Constraints
`20260116`	affected	—

Configuration 1 [-]

cpe:2.3:a:bdtask:bhojon:*:*:*:*:*:*:*:*

No data.

Vendor	Product	Confidence	Versions
Bdtask	Bhojon	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Ensure that price and allprice values are validated and calculated server‑side, rejecting any client‑supplied price adjustments that do not match database records or business rules.
Upgrade the Bhojon All‑In‑One Restaurant Management System to a version released after 20260116 once an official patch becomes available.
If a patch is not yet available, temporarily disable or remove the ability for users to supply price parameters in the add‑to‑cart request, and enforce calculation of pricing exclusively on the server.

Generated by OpenCVE AI on April 18, 2026 at 01:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00056.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/4m3rr0r/PoCVulDb/issues/14
https://vuldb.com/?ctiid.343362
https://vuldb.com/?id.343362
https://vuldb.com/?submit.740741
https://www.youtube.com/watch?v=UESZTjVS4Fs

History

Thu, 19 Feb 2026 21:15:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:bdtask:bhojon::::::::

Fri, 30 Jan 2026 09:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Bdtask Bdtask bhojon
Vendors & Products		Bdtask Bdtask bhojon

Thu, 29 Jan 2026 22:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 29 Jan 2026 18:15:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was identified in Bdtask Bhojon All-In-One Restaurant Management System up to 20260116. The impacted element is an unknown function of the file /hungry/addtocart of the component Add-to-Cart Submission Endpoint. The manipulation of the argument price/allprice leads to business logic errors. The attack can be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title		Bdtask Bhojon All-In-One Restaurant Management System Add-to-Cart Submission Endpoint addtocart logic error
Weaknesses		CWE-840
References		https://github.com/4m3rr0r/PoCVulDb/issues/14 https://vuldb.com/?ctiid.343362 https://vuldb.com/?id.343362 https://vuldb.com/?submit.740741 https://www.youtube.com/watch?v=UESZTjVS4Fs
Metrics		cvssV2_0 `{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Bdtask Bhojon

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-01-29T18:02:06.201Z

Updated: 2026-02-23T09:06:22.910Z

Reserved: 2026-01-29T08:44:44.234Z

Link: CVE-2026-1600

Vulnrichment

Updated: 2026-01-29T21:15:03.975Z

NVD

Status : Analyzed

Published: 2026-01-29T18:16:14.773

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-1600

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T01:30:16Z

Weaknesses

CWE-840

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object