Description
A security flaw has been discovered in code-projects Online Food Ordering System 1.0. Affected by this issue is some unknown functionality of the file /dbfood/food.php. The manipulation of the argument cuisines results in cross site scripting. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks.
Published: 2026-03-26
Score: 4.8 Medium
EPSS: n/a
KEV: No
Impact: Client‑side script execution via XSS
Action: Assess Impact
AI Analysis

Impact

An input validation failure in the file /dbfood/food.php of the Online Food Ordering System allows an attacker to manipulate the cuisines parameter and inject arbitrary script code that executes in the victim’s browser. The flaw is triggered remotely and does not require authentication; the released exploit can be used to run code on any user who visits the vulnerable page.

Affected Systems

Vulnerable product: Online Food Ordering System version 1.0 developed by code‑projects. The issue is specifically limited to the food.php script handling the cuisines argument and is not reported in other vendors’ products.

Risk and Exploitability

The CVSS score of 4.8 indicates moderate severity, and the EPSS score is not provided. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires only a crafted HTTP request to the application, making it straightforward for anyone with network access to launch the attack. The absence of input validation or output encoding allows the injected script to run in the browser of any user interacting with the affected resource.

Generated by OpenCVE AI on March 26, 2026 at 23:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify whether the Online Food Ordering System 1.0 is deployed on your infrastructure.
  • If the vendor has released a patch or updated version, apply it immediately.
  • Implement server‑side input validation and output escaping for the cuisines parameter to prevent script injection.
  • If a patch is unavailable, restrict accepted cuisines values to a predefined whitelist.
  • Deploy a Content Security Policy that defaults to a restrictive script source to mitigate any remaining XSS risk.

Generated by OpenCVE AI on March 26, 2026 at 23:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Code-projects
Code-projects online Food Ordering System
Vendors & Products Code-projects
Code-projects online Food Ordering System

Thu, 26 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Description A security flaw has been discovered in code-projects Online Food Ordering System 1.0. Affected by this issue is some unknown functionality of the file /dbfood/food.php. The manipulation of the argument cuisines results in cross site scripting. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks.
Title code-projects Online Food Ordering System food.php cross site scripting
Weaknesses CWE-79
CWE-94
References
Metrics cvssV2_0

{'score': 3.3, 'vector': 'AV:N/AC:L/Au:M/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 2.4, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 2.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Code-projects Online Food Ordering System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-26T21:56:43.372Z

Reserved: 2026-03-26T14:33:55.079Z

Link: CVE-2026-4899

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-03-26T22:16:31.950

Modified: 2026-03-26T22:16:31.950

Link: CVE-2026-4899

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:23:00Z

Weaknesses