CVE-2026-1600
Business Logic Error in Bdtask Bhojon Add-to-Cart Endpoint
Publication date: 2026-01-29
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| bdtask | bhojon | to 2026-01-16 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-840 | Business Logic Errors |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-1600 is a business logic vulnerability in the Bdtask Bhojon All-In-One Restaurant Management System's Add-to-Cart Submission Endpoint (/hungry/addtocart). The system improperly accepts and processes user-supplied price values (price and allprice parameters) without verifying them against server-side product data. This allows attackers to manipulate prices in requests, causing the system to process fraudulent prices, such as purchasing expensive items at a much lower cost. The flaw stems from lack of server-side validation and leads to financial losses and potential automated mass exploitation. [2, 3, 4]
How can this vulnerability impact me? :
This vulnerability can lead to direct financial losses by allowing attackers to purchase items at manipulated, lower prices. Since the system processes tampered price values without verification, attackers can exploit this flaw to pay less than the actual price, potentially on a large scale through automated attacks. This undermines the business's revenue and trustworthiness. [2, 3, 4]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring and analyzing POST requests to the /hungry/addtocart endpoint for manipulated 'price' and 'allprice' parameters. Detection involves inspecting network traffic or server logs for unusual or inconsistent pricing values submitted by clients. Commands to detect this could include using tools like curl or wget to send test POST requests with altered price parameters and observing server responses. Additionally, network packet capture tools such as tcpdump or Wireshark can be used to filter and analyze traffic to the vulnerable endpoint. For example, using curl to send a POST request with manipulated price values: curl -X POST -d 'price=1.00&allprice=1.00' https://target/hungry/addtocart and checking if the server accepts and processes these values without validation. Monitoring logs for repeated or suspicious price manipulation attempts can also help detect exploitation. [2, 4]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include disabling or restricting access to the /hungry/addtocart endpoint to prevent exploitation. Since no patches or vendor responses are available, it is recommended to implement server-side validation that ignores client-supplied price parameters and recalculates prices based on trusted product data from the database. Logging and alerting on any attempts to manipulate price parameters can help detect abuse. If possible, consider replacing the affected Bhojon All-In-One Restaurant Management System with an alternative solution that does not have this vulnerability. Applying network-level protections such as web application firewalls (WAF) to block suspicious requests targeting price manipulation can also reduce risk. [2, 4]