CVE-2026-1599
Unknown Unknown - Not Provided
Business Logic Error in Bdtask Bhojon Checkout via Remote Manipulation

Publication date: 2026-01-29

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was determined in Bdtask Bhojon All-In-One Restaurant Management System up to 20260116. The affected element is an unknown function of the file /hungry/placeorder of the component Checkout. Executing a manipulation of the argument orggrandTotal/vat/service_charge/grandtotal can lead to business logic errors. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-29
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-01-29
EPSS Evaluated
2026-06-15
NVD
CVE-2026-1599
EUVD
EUVD-2026-4961
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
bdtask bhojon to 2026-01-16 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-840 Business Logic Errors
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-1599 is a business logic vulnerability in the Bdtask Bhojon All-In-One Restaurant Management System affecting the checkout process. The vulnerability exists because the backend endpoint /hungry/placeorder improperly trusts client-supplied pricing parameters such as orggrandTotal, vat, service_charge, and grandtotal without validating or recalculating them on the server side. This allows an attacker to manipulate these values remotely, causing the system to accept incorrect order totals, leading to payment bypass or fraudulent orders. [2, 3, 4]

Impact Analysis

This vulnerability can lead to direct financial losses by allowing attackers to bypass payment amounts during checkout. Attackers can manipulate VAT, service charges, and the final order total to arbitrarily low values, effectively placing fraudulent orders without paying the correct amount. The flaw can be exploited remotely and automated via bots, potentially causing significant revenue loss and undermining the integrity of transaction calculations. [2, 3, 4]

Detection Guidance

Detection of this vulnerability involves monitoring and analyzing requests to the checkout endpoint `/hungry/placeorder` for manipulation of pricing parameters such as `orggrandTotal`, `vat`, `service_charge`, and `grandtotal`. You can detect suspicious activity by capturing and inspecting HTTP requests to this endpoint for abnormal or inconsistent pricing values. Commands to detect this might include using network traffic analysis tools like `tcpdump` or `Wireshark` to capture traffic, or using web server logs to identify requests with manipulated price parameters. For example, using `grep` on server logs to find requests containing these parameters with unusual values: `grep -E 'orggrandTotal=|vat=|service_charge=|grandtotal=' /path/to/access.log`. Additionally, setting up IDS/IPS rules to alert on changes to these parameters or unusual order totals can help detect exploitation attempts. [2, 3, 4]

Mitigation Strategies

Immediate mitigation steps include: 1) Recalculating all pricing fields (`orggrandTotal`, `vat`, `service_charge`, `grandtotal`) exclusively on the server side rather than trusting client-supplied values. 2) Removing price-related fields from client requests to prevent manipulation. 3) Implementing server-side validation to reject orders where totals do not match expected calculations. 4) Logging and monitoring any attempts to tamper with pricing parameters to detect abuse. 5) Considering replacing the affected software with an alternative product since no vendor patch or fix is currently available. These steps help prevent attackers from bypassing payment and manipulating order totals. [3, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-1599. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart