CVE-2026-4841
Received Received - Intake
SQL Injection in Online Food Ordering System Shopping Cart Module

Publication date: 2026-03-26

Last updated on: 2026-04-29

Assigner: VulDB

Description
A weakness has been identified in code-projects Online Food Ordering System 1.0. This affects an unknown part of the file form/cart.php of the component Shopping Cart Module. Executing a manipulation of the argument del can lead to sql injection. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-26
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-03-26
EPSS Evaluated
2026-06-15
NVD
CVE-2026-4841
EUVD
EUVD-2026-16110
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
code-projects online_food_ordering_system 1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The SQL Injection vulnerability in the Online Food Ordering System 1.0 allows attackers to extract sensitive data such as user credentials, order history, customer personal information, and payment details. This exposure of personal and payment information can lead to non-compliance with data protection regulations like GDPR and HIPAA, which mandate the protection of personal and sensitive data against unauthorized access and breaches.

Additionally, the ability to modify or delete database records, including audit trails, undermines data integrity and accountability requirements often enforced by these standards.

Mitigation Strategies

To mitigate the SQL Injection vulnerability in the Online Food Ordering System 1.0, immediate steps include:

  • Apply input validation and sanitization to the 'del' parameter to prevent malicious SQL code injection.
  • Use prepared statements or parameterized queries in the /form/cart.php file to safely handle user inputs.
  • Restrict or monitor access to the Shopping Cart Module to detect and block suspicious POST requests targeting the 'del' parameter.
  • If possible, temporarily disable or restrict the vulnerable functionality until a patch or update is available.
  • Monitor logs for unusual delays or suspicious activity indicative of time-based blind SQL injection attempts.
Executive Summary

CVE-2026-4841 is a critical SQL Injection vulnerability found in the Online Food Ordering System 1.0 by code-projects.org. It exists in the Shopping Cart Module within the file /form/cart.php. The vulnerability occurs because the 'del' parameter, which identifies cart items, is directly used in a SQL query without proper sanitization or parameterization.

An attacker can exploit this vulnerability remotely by sending specially crafted POST requests with multipart/form-data encoding. This allows a time-based blind SQL injection attack, where the attacker can confirm the vulnerability by causing delays in the database response.

Impact Analysis

Exploiting this vulnerability can have severe impacts including:

  • Extraction of sensitive data such as user credentials, order history, customer personal information, and payment details.
  • Modification of database records, including altering prices, manipulating orders, and creating fake orders.
  • Deletion of database records, such as removing orders and clearing audit trails.

Overall, a remote attacker can fully compromise the integrity and confidentiality of the Online Food Ordering System's database without needing any privileges or user interaction.

Detection Guidance

This vulnerability can be detected by sending a specially crafted POST request to the vulnerable endpoint and observing the response time for delays caused by SQL injection payloads.

Specifically, the vulnerable parameter is `del` in the `/form/cart.php` file of the Online Food Ordering System 1.0.

A proof-of-concept payload to test for the time-based blind SQL injection is:

  • POST /form/cart.php with multipart/form-data encoding and parameter `del` set to: `139' AND (SELECT 5854 FROM (SELECT(SLEEP(10)))hkHH) AND 'pzvo'='pzvo`

If the server response is delayed by approximately 10 seconds, it indicates the presence of the vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4841. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart