Description
SQL Injection vulnerability in the /api/integrations/getintegrations endpoint of Order Up Online Ordering System 1.0 allows an unauthenticated attacker to access sensitive backend database data via a crafted store_id parameter in a POST request.
Published: 2026-02-23
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated data exfiltration via SQL injection
Action: Assess Impact
AI Analysis

Impact

SQL injection occurs in the /api/integrations/getintegrations endpoint of Order Up Online Ordering System 1.0 when the store_id parameter in a POST request is not properly sanitized. An attacker can alter this parameter to inject arbitrary SQL, enabling the retrieval of sensitive backend database information. The vulnerability results in unauthorized data disclosure with a CVSS base score of 9.8, indicating a critical level of risk.

Affected Systems

The exposed product is Order Up Online Ordering System version 1.0. No other affected versions were identified in the CNA data.

Risk and Exploitability

The CVSS score of 9.8 demonstrates a severe threat, while the EPSS score of less than 1% suggests that, as of the data provided, exploitation is unlikely to occur frequently. The vulnerability can be triggered by any unauthenticated actor who can send a crafted HTTP POST request to the vulnerable endpoint, likely from any network location that can reach the API service. Although the exploit does not require authentication or privilege escalation, successful exploitation would allow an attacker to view or potentially modify sensitive database contents, compromising confidentiality.

Generated by OpenCVE AI on April 17, 2026 at 16:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply an official patch or upgrade to a corrected version of Order Up Online Ordering System when it becomes available.
  • Restrict unauthenticated access to the /api/integrations/getintegrations endpoint by enforcing authentication or IP whitelisting.
  • Implement input validation and use parameterized database queries for the store_id parameter to eliminate injection risks.

Generated by OpenCVE AI on April 17, 2026 at 16:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Order Up
Order Up online Ordering System
Vendors & Products Order Up
Order Up online Ordering System

Mon, 23 Feb 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 23 Feb 2026 01:45:00 +0000

Type Values Removed Values Added
Description SQL Injection vulnerability in the /api/integrations/getintegrations endpoint of Order Up Online Ordering System 1.0 allows an unauthenticated attacker to access sensitive backend database data via a crafted store_id parameter in a POST request.
Title SQL injection vulnerability in Order Up Online Ordering System
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Order Up Online Ordering System
cve-icon MITRE

Status: PUBLISHED

Assigner: spartans-security

Published:

Updated: 2026-02-23T13:47:41.202Z

Reserved: 2026-01-23T01:44:12.352Z

Link: CVE-2026-24494

cve-icon Vulnrichment

Updated: 2026-02-23T13:47:35.061Z

cve-icon NVD

Status : Deferred

Published: 2026-02-23T02:16:39.443

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-24494

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T16:30:05Z

Weaknesses