CVE-2026-5811 - Vulnerability Details

- SourceCodester Online Food Ordering System POST Parameter Actions.php save_product logic error

Description

A vulnerability was identified in SourceCodester Online Food Ordering System 1.0. Affected by this issue is the function save_product of the file /Actions.php of the component POST Parameter Handler. Such manipulation of the argument price leads to business logic errors. The attack may be performed from remote. The exploit is publicly available and might be used.

Published: 2026-04-08

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability resides in the save_product function of SourceCodester's Online Food Ordering System, allowing an attacker to alter the POST parameter price. This manipulation bypasses the intended business logic, potentially enabling negative or invalid prices that can lead to revenue loss, inventory mismanagement, or fraudulent orders. The exploit is remote and publicly available, providing an attacker the ability to send crafted requests to the web application without any special authentication or local access.

Affected Systems

SourceCodester Online Food Ordering System, version 1.0. The issue pertains specifically to the Actions.php component handling POST parameters.

Risk and Exploitability

With a CVSS score of 5.3, the vulnerability presents moderate severity. No EPSS score data is available, and the issue is not listed in the CISA KEV catalog, indicating that the likelihood of widespread exploitation is uncertain. The attack vector is remote, relying on the ability to send crafted POST requests to the involved endpoint. Because the exploit code is publicly available, operational security teams should treat this as a potential risk for systems that remain unpatched or misconfigured.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

SourceCodester

Online Food Ordering System

affected

Version	Status	Constraints
`1.0`	affected	—

No data.

Vendor Product Confidence Versions

Sourcecodester

Online Food Ordering System

100%

Version	Status	Scheme	Platform
`1.0`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply any vendor‑supplied update or patch for the Online Food Ordering System that addresses the price validation flaw.
If no update is available, investigate the source code and amend the price validation logic in Actions.php to reject negative or non‑numeric values.
Deploy a web application firewall rule that blocks POST requests setting product price to negative values.
Audit transaction logs and inventory data for anomalous pricing patterns that may indicate exploitation.

Generated by OpenCVE AI on April 8, 2026 at 23:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00039.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/meifukun/Web-Security-PoCs/blob/main/Online-Food-Ordering-System/BusinessLogic-Product-NegativePrice.md
https://vuldb.com/submit/787678
https://vuldb.com/vuln/356259
https://vuldb.com/vuln/356259/cti
https://www.sourcecodester.com/

History

Thu, 09 Apr 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 09 Apr 2026 08:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Sourcecodester Sourcecodester online Food Ordering System
Vendors & Products		Sourcecodester Sourcecodester online Food Ordering System

Wed, 08 Apr 2026 22:30:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was identified in SourceCodester Online Food Ordering System 1.0. Affected by this issue is the function save_product of the file /Actions.php of the component POST Parameter Handler. Such manipulation of the argument price leads to business logic errors. The attack may be performed from remote. The exploit is publicly available and might be used.
Title		SourceCodester Online Food Ordering System POST Parameter Actions.php save_product logic error
Weaknesses		CWE-840
References		https://github.com/meifukun/Web-Security-PoCs/blob/main/Online-Food-Ordering-System/BusinessLogic-Product-NegativePrice.md https://vuldb.com/submit/787678 https://vuldb.com/vuln/356259 https://vuldb.com/vuln/356259/cti https://www.sourcecodester.com/
Metrics		cvssV2_0 `{'score': 5.5, 'vector': 'AV:N/AC:L/Au:S/C:N/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 5.4, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Sourcecodester Online Food Ordering System

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-04-08T22:15:13.008Z

Updated: 2026-04-09T13:18:59.568Z

Reserved: 2026-04-08T15:20:12.893Z

Link: CVE-2026-5811

Vulnrichment

Updated: 2026-04-09T13:18:54.779Z

NVD

Status : Received

Published: 2026-04-08T23:17:00.390

Modified: 2026-04-08T23:17:00.390

Link: CVE-2026-5811

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-09T08:25:45Z

Weaknesses

CWE-840

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object