Description
A flaw has been found in projectworlds Online Food Ordering System 1.0. This affects an unknown function of the file /view-ticket.php. Executing a manipulation of the argument ID can lead to sql injection. It is possible to launch the attack remotely. The exploit has been published and may be used.
Published: 2026-02-08
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection
Action: Assess
AI Analysis

Impact

A flaw was identified in the view-ticket.php file of Projectworlds Online Food Ordering System. Manipulating the ID argument can cause an SQL injection that is exploitable over the network. The vulnerability is rated CVSS 6.9. The weakness is classified as SQL injection (CWE-89, CWE-74).

Affected Systems

The affected product is Projectworlds Online Food Ordering System, version 1.0. No other versions or patches are currently documented as mitigating this issue. This version is identified by the CPE strings shown in the advisory and is the only known variant affected.

Risk and Exploitability

The exploit is remote with a published proof of concept. The EPSS score of < 1% indicates a low probability of exploitation under typical circumstances. The vulnerability is not listed in the CISA KEV catalog. The likely attack path involves an unauthenticated user sending a crafted request to the /view-ticket.php endpoint with a malicious ID value to trigger the SQL injection.

Generated by OpenCVE AI on April 18, 2026 at 18:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check with the vendor for an available patch or update addressing this flaw.
  • Constrain the ID parameter to integer values only, using strict type validation or parameterized database queries.
  • Ensure the database user that the application uses has the minimum privileges necessary, preferably read-only for ticket viewing functions.

Generated by OpenCVE AI on April 18, 2026 at 18:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Feb 2026 10:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:projectworlds:online_food_ordering_system:*:*:*:*:*:*:*:*

Wed, 11 Feb 2026 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:projectworlds:online_food_ordering_system:1.0:*:*:*:*:*:*:*

Tue, 10 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Projectworlds
Projectworlds online Food Ordering System
Vendors & Products Projectworlds
Projectworlds online Food Ordering System

Sun, 08 Feb 2026 05:30:00 +0000

Type Values Removed Values Added
Description A flaw has been found in projectworlds Online Food Ordering System 1.0. This affects an unknown function of the file /view-ticket.php. Executing a manipulation of the argument ID can lead to sql injection. It is possible to launch the attack remotely. The exploit has been published and may be used.
Title projectworlds Online Food Ordering System view-ticket.php sql injection
Weaknesses CWE-74
CWE-89
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Projectworlds Online Food Ordering System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T09:38:18.396Z

Reserved: 2026-02-06T20:59:35.229Z

Link: CVE-2026-2136

cve-icon Vulnrichment

Updated: 2026-02-10T19:51:24.758Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-08T06:16:16.313

Modified: 2026-02-11T18:54:34.160

Link: CVE-2026-2136

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T18:30:07Z

Weaknesses