CVE-2026-1600
Unknown Unknown - Not Provided
Business Logic Error in Bdtask Bhojon Add-to-Cart Endpoint

Publication date: 2026-01-29

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was identified in Bdtask Bhojon All-In-One Restaurant Management System up to 20260116. The impacted element is an unknown function of the file /hungry/addtocart of the component Add-to-Cart Submission Endpoint. The manipulation of the argument price/allprice leads to business logic errors. The attack can be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-29
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-01-29
EPSS Evaluated
2026-06-14
NVD
CVE-2026-1600
EUVD
EUVD-2026-4965
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
bdtask bhojon to 2026-01-16 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-840 Business Logic Errors
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-1600 is a business logic vulnerability in the Bdtask Bhojon All-In-One Restaurant Management System's Add-to-Cart Submission Endpoint (/hungry/addtocart). The system improperly accepts and processes user-supplied price values (price and allprice parameters) without verifying them against server-side product data. This allows attackers to manipulate prices in requests, causing the system to process fraudulent prices, such as purchasing expensive items at a much lower cost. The flaw stems from lack of server-side validation and leads to financial losses and potential automated mass exploitation. [2, 3, 4]

Impact Analysis

This vulnerability can lead to direct financial losses by allowing attackers to purchase items at manipulated, lower prices. Since the system processes tampered price values without verification, attackers can exploit this flaw to pay less than the actual price, potentially on a large scale through automated attacks. This undermines the business's revenue and trustworthiness. [2, 3, 4]

Detection Guidance

This vulnerability can be detected by monitoring and analyzing POST requests to the /hungry/addtocart endpoint for manipulated 'price' and 'allprice' parameters. Detection involves inspecting network traffic or server logs for unusual or inconsistent pricing values submitted by clients. Commands to detect this could include using tools like curl or wget to send test POST requests with altered price parameters and observing server responses. Additionally, network packet capture tools such as tcpdump or Wireshark can be used to filter and analyze traffic to the vulnerable endpoint. For example, using curl to send a POST request with manipulated price values: curl -X POST -d 'price=1.00&allprice=1.00' https://target/hungry/addtocart and checking if the server accepts and processes these values without validation. Monitoring logs for repeated or suspicious price manipulation attempts can also help detect exploitation. [2, 4]

Mitigation Strategies

Immediate mitigation steps include disabling or restricting access to the /hungry/addtocart endpoint to prevent exploitation. Since no patches or vendor responses are available, it is recommended to implement server-side validation that ignores client-supplied price parameters and recalculates prices based on trusted product data from the database. Logging and alerting on any attempts to manipulate price parameters can help detect abuse. If possible, consider replacing the affected Bhojon All-In-One Restaurant Management System with an alternative solution that does not have this vulnerability. Applying network-level protections such as web application firewalls (WAF) to block suspicious requests targeting price manipulation can also reduce risk. [2, 4]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-1600. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart