Description
A security flaw has been discovered in code-projects Simple Food Order System 1.0. This impacts an unknown function of the file /all-tickets.php of the component Parameter Handler. Performing a manipulation of the argument Status results in sql injection. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks.
Published: 2026-03-28
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote SQL Injection
Action: Apply Patch
AI Analysis

Impact

This vulnerability is a SQL injection flaw in the Simple Food Order System, allowing an attacker to inject arbitrary SQL through the Status parameter within /all-tickets.php's Parameter Handler. Such injection can lead to unauthorized data exposure or manipulation of the underlying database. The flaw exists in version 1.0 and was disclosed as a publicly available exploit. Attackers can trigger the injection remotely by manipulating the Status parameter in HTTP requests sent to the vulnerable endpoint.

Affected Systems

The affected software is the Simple Food Order System supplied by code-projects, currently at version 1.0. The vulnerability is situated in the Parameter Handler module of the all-tickets.php script. Systems running this application without an updated patch, especially those exposed directly to the internet, are susceptible.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate severity; the EPSS score below 1% suggests low but non‑zero exploitation probability. The vulnerability is not in CISA's KEV catalog, but the public release indicates it is exploitable. Because the attack can be performed remotely, a successful exploitation could grant attackers the ability to read, modify, or delete data stored in the database, depending on database privileges. No zero‑day or privileged escalation is required, and the exploit does not rely on complex prerequisites.

Generated by OpenCVE AI on April 2, 2026 at 23:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any publicly released vendor patch for Simple Food Order System 1.0 that addresses the SQL injection in /all-tickets.php.
  • If a patch is not yet available, deploy an input sanitization fix: modify the Status parameter handling to use prepared statements or parameterized queries.
  • Limit exposure of the /all-tickets.php endpoint by restricting its access to trusted IP ranges through network firewall rules or web server configuration.
  • Review and, if necessary, reset database credentials and tighten permissions to minimize the impact of potential data compromise.
  • Monitor application logs for anomalous SQL queries and conduct periodic security scans to detect exploitation attempts.

Generated by OpenCVE AI on April 2, 2026 at 23:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Carmelo
Carmelo simple Food Order System
CPEs cpe:2.3:a:carmelo:simple_food_order_system:1.0:*:*:*:*:*:*:*
Vendors & Products Carmelo
Carmelo simple Food Order System

Mon, 30 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Code-projects
Code-projects simple Food Order System
Vendors & Products Code-projects
Code-projects simple Food Order System

Sun, 29 Mar 2026 02:15:00 +0000

Type Values Removed Values Added
Description A security flaw has been discovered in code-projects Simple Food Order System 1.0. This impacts an unknown function of the file /all-tickets.php of the component Parameter Handler. Performing a manipulation of the argument Status results in sql injection. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks.
Title code-projects Simple Food Order System Parameter all-tickets.php sql injection
Weaknesses CWE-74
CWE-89
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Carmelo Simple Food Order System
Code-projects Simple Food Order System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-30T14:52:56.572Z

Reserved: 2026-03-27T14:14:07.134Z

Link: CVE-2026-5017

cve-icon Vulnrichment

Updated: 2026-03-30T13:14:23.464Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-28T23:16:43.597

Modified: 2026-04-02T20:34:00.900

Link: CVE-2026-5017

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:38:27Z

Weaknesses