Description
A vulnerability was identified in code-projects Online Food Ordering System 1.0. Affected is an unknown function of the file /form/order.php of the component Order Module. Such manipulation of the argument cust_id leads to cross site scripting. The attack may be performed from remote. The exploit is publicly available and might be used.
Published: 2026-03-30
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting (XSS)
Action: Apply Patch
AI Analysis

Impact

The vulnerability allows an attacker to inject arbitrary script into the cust_id parameter of the order.php page, resulting in client‑side script execution in the victim's browser. This can lead to page defacement, credential theft or redirection to malicious sites. The weakness is a persistent cross‑site scripting flaw and was validated in version 1.0 of the Online Food Ordering System’s Order module.

Affected Systems

Affected software is code‑projects Online Food Ordering System, version 1.0, specifically the Order module’s form/order.php file. The flaw exists in the unknown function that handles the cust_id argument.

Risk and Exploitability

The CVSS base score is 5.3, indicating moderate severity. The EPSS score is currently unavailable, and the vulnerability is not listed in the CISA KEV catalog, but it has publicly available exploits. Since the attack vector is remote and a crafted HTTP request can trigger the failure, the likelihood of exploitation is notable. Administrators should treat this as a medium‑risk issue that could impact confidentiality and integrity of user sessions.

Generated by OpenCVE AI on March 31, 2026 at 05:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to the latest release of the Online Food Ordering System or apply the vendor's patch as soon as it is released.
  • If a patch is not yet available, validate that the cust_id parameter is properly sanitized and encoded before being rendered in the browser.
  • Deploy a web application firewall or implement a content security policy to block malicious scripts from executing in user browsers.
  • Monitor for suspicious activity or reports of unexpected webpage content.

Generated by OpenCVE AI on March 31, 2026 at 05:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 31 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was identified in code-projects Online Food Ordering System 1.0. Affected is an unknown function of the file /form/order.php of the component Order Module. Such manipulation of the argument cust_id leads to cross site scripting. The attack may be performed from remote. The exploit is publicly available and might be used.
Title code-projects Online Food Ordering System Order order.php cross site scripting
Weaknesses CWE-79
CWE-94
References
Metrics cvssV2_0

{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-31T18:05:06.456Z

Reserved: 2026-03-30T13:36:47.061Z

Link: CVE-2026-5157

cve-icon Vulnrichment

Updated: 2026-03-31T16:13:31.049Z

cve-icon NVD

Status : Received

Published: 2026-03-31T00:16:15.590

Modified: 2026-03-31T00:16:15.590

Link: CVE-2026-5157

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T19:57:01Z

Weaknesses