Description
code-projects Simple Food Order System v1.0 is vulnerable to SQL Injection in /food/view-ticket-admin.php.
Published: 2026-03-02
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection that allows unauthorized database access and potential data exfiltration or modification
Action: Immediate Patch
AI Analysis

Impact

The Simple Food Order System v1.0 contains a flaw in the /food/view-ticket-admin.php endpoint that permits SQL injection. This weakness—classified as CWE-89—allows an attacker to manipulate database queries, read confidential order data, alter records, and potentially execute arbitrary commands if the underlying database privileges are permissive. The impact is loss of confidentiality, integrity, and potentially availability of the ordering system.

Affected Systems

The vulnerability exists in the Simple Food Order System library version 1.0 developed by an unnamed vendor identified as Carmelo. No other versions or vendors are listed as affected.

Risk and Exploitability

The CVSS score of 9.8 marks this issue as critical, yet the Enterprise Platform Security Score (EPSS) is reported as less than 1%, indicating a very low probability of exploitation under current conditions. The vulnerability is not included in the CISA Known Exploited Vulnerabilities catalog. Based on the description, the likely attack vector is a remote web request to the mentioned endpoint, although authentication requirements are not specified. Even with low current exploitation likelihood, the high severity warrants timely mitigation.

Generated by OpenCVE AI on April 16, 2026 at 14:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a patched version of the Simple Food Order System that resolves the SQL injection in /food/view-ticket-admin.php, or apply a local patch that replaces dynamic query construction with prepared statements
  • Implement strict authentication and access controls so that only authorized administrators can reach the view-ticket-admin.php endpoint
  • Sanitize all user inputs rigorously and use parameterized queries to eliminate injection vectors
  • Deploy a web application firewall configured to detect and block SQL injection patterns targeting this endpoint

Generated by OpenCVE AI on April 16, 2026 at 14:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Title SQL Injection in Simple Food Order System Admin Ticket View Endpoint

Tue, 03 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 02 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
First Time appeared Carmelo
Carmelo simple Food Order System
Weaknesses CWE-89
CPEs cpe:2.3:a:carmelo:simple_food_order_system:1.0:*:*:*:*:*:*:*
Vendors & Products Carmelo
Carmelo simple Food Order System
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Mon, 02 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
Description code-projects Simple Food Order System v1.0 is vulnerable to SQL Injection in /food/view-ticket-admin.php.
References

Subscriptions

Carmelo Simple Food Order System
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-03T15:19:37.022Z

Reserved: 2026-02-16T00:00:00.000Z

Link: CVE-2026-26712

cve-icon Vulnrichment

Updated: 2026-03-03T15:19:31.509Z

cve-icon NVD

Status : Modified

Published: 2026-03-02T20:16:26.990

Modified: 2026-03-03T16:16:21.767

Link: CVE-2026-26712

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T15:00:14Z

Weaknesses