Description
A vulnerability was detected in CodePanda Source canteen_management_system 1.0. Affected by this issue is some unknown functionality of the file /api/login.php. The manipulation of the argument Username results in sql injection. The attack can be executed remotely. The exploit is now public and may be used.
Published: 2026-04-27
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote SQL Injection
Action: Apply Patch
AI Analysis

Impact

A SQL injection flaw exists in the /api/login.php endpoint of CodePanda Source canteen_management_system, introduced by unsanitized handling of the Username parameter. The flaw allows an attacker to inject arbitrary SQL commands, potentially exposing or modifying the data stored by the application.

Affected Systems

The vulnerability affects CodePanda Source canteen_management_system version 1.0. Any deployment that exposes the /api/login.php API endpoint is susceptible; the affected functionality is not limited to a specific configuration.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate impact if exploited, while the EPSS score of less than 1% suggests a low current probability of exploitation. An attacker can perform the exploit remotely via an HTTP request without authentication, and a public exploit is available. The vulnerability is not listed in the CISA KEV catalog, but because the attack can be carried out with minimal effort, remediation is recommended.

Generated by OpenCVE AI on April 28, 2026 at 13:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Obtain and install the official CodePanda Source patch that addresses the SQL injection in the login API as soon as it becomes available.
  • If a patch is not yet released, deploy network controls or a Web Application Firewall rule to limit or block traffic to /api/login.php from untrusted IP addresses, or replace the endpoint with a version that performs strict input validation.
  • Configure the database account used by the application to follow least‑privilege principles, removing any write or administrative roles that are not necessary for normal operation.

Generated by OpenCVE AI on April 28, 2026 at 13:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 29 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 27 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Codepanda Source
Codepanda Source canteen Management System
Vendors & Products Codepanda Source
Codepanda Source canteen Management System

Mon, 27 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in CodePanda Source canteen_management_system 1.0. Affected by this issue is some unknown functionality of the file /api/login.php. The manipulation of the argument Username results in sql injection. The attack can be executed remotely. The exploit is now public and may be used.
Title CodePanda Source canteen_management_system login.php sql injection
Weaknesses CWE-74
CWE-89
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Codepanda Source Canteen Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-29T13:41:50.193Z

Reserved: 2026-04-26T07:52:15.221Z

Link: CVE-2026-7072

cve-icon Vulnrichment

Updated: 2026-04-29T13:41:46.097Z

cve-icon NVD

Status : Deferred

Published: 2026-04-27T01:16:16.137

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-7072

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T13:15:31Z

Weaknesses