Description
code-projects Simple Food Order System v1.0 is vulnerable to SQL Injection in /food/routers/cancel-order.php.
Published: 2026-03-02
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: High‑severity SQL Injection
Action: Patch Immediately
AI Analysis

Impact

This vulnerability is a classic SQL injection flaw located in the cancel‑order handler of Simple Food Order System version 1.0. An attacker could inject malicious SQL statements that may read, modify, or delete database records, leading to full compromise of confidential order data, data integrity violations, and potential escalation of privileges if the database user has elevated rights. The weakness is identified as CWE‑89, confirming the absence of proper input validation and parameterization.

Affected Systems

The affected product is Simple Food Order System, version 1.0, distributed by code‑projects. The vulnerable component is the cancel‑order script located at /food/routers/cancel-order.php. No other versions or vendors are listed as affected.

Risk and Exploitability

The CVSS score is 9.8, indicating critical severity, although the EPSS score is reported as <1%, suggesting a low probability of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. Attackers are likely able to exploit the flaw by sending crafted requests to the cancel‑order endpoint, which may be reachable to any authenticated or unauthenticated user with network access to the application.

Generated by OpenCVE AI on April 16, 2026 at 14:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Deploy the vendor’s patched version of Simple Food Order System if one becomes available.
  • If a patch is not yet released, modify the cancel‑order.php script to use parameterized queries (e.g., prepared statements) and sanitize all user‑supplied data.
  • Restrict database permissions so that the application can only perform the necessary operations for order cancellation and nothing more.
  • Disable or limit direct access to the cancel‑order.php endpoint for unauthenticated users, and enforce strong authentication and authorization checks.

Generated by OpenCVE AI on April 16, 2026 at 14:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Title SQL Injection in Cancel Order Endpoint

Wed, 04 Mar 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Code-projects
Code-projects simple Food Order System
Vendors & Products Code-projects
Code-projects simple Food Order System

Tue, 03 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 02 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
First Time appeared Carmelo
Carmelo simple Food Order System
Weaknesses CWE-89
CPEs cpe:2.3:a:carmelo:simple_food_order_system:1.0:*:*:*:*:*:*:*
Vendors & Products Carmelo
Carmelo simple Food Order System
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Mon, 02 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
Description code-projects Simple Food Order System v1.0 is vulnerable to SQL Injection in /food/routers/cancel-order.php.
References

Subscriptions

Carmelo Simple Food Order System
Code-projects Simple Food Order System
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-03T15:21:06.155Z

Reserved: 2026-02-16T00:00:00.000Z

Link: CVE-2026-26713

cve-icon Vulnrichment

Updated: 2026-03-03T15:20:57.732Z

cve-icon NVD

Status : Modified

Published: 2026-03-02T20:16:27.103

Modified: 2026-03-03T16:16:21.940

Link: CVE-2026-26713

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T15:00:14Z

Weaknesses