CVE-2026-4844
Received Received - Intake
SQL Injection in Online Food Ordering Admin Login Module

Publication date: 2026-03-26

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was detected in code-projects Online Food Ordering System 1.0. This issue affects some unknown processing of the file /admin.php of the component Admin Login Module. The manipulation of the argument Username results in sql injection. The attack may be performed from remote. The exploit is now public and may be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-26
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-03-26
EPSS Evaluated
2026-06-14
NVD
CVE-2026-4844
EUVD
EUVD-2026-16114
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
code-projects online_food_ordering_system 1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-4844 is a critical pre-authentication time-based blind SQL injection vulnerability in the Online Food Ordering System 1.0 by code-projects.org. It exists in the /admin.php file, specifically in the "username" parameter of the admin login form, which is processed via a POST multipart/form-data request.

This vulnerability allows unauthenticated remote attackers to inject SQL code before any authentication checks occur, requiring no session cookies, credentials, or prior access.

The injection exploits the "username" parameter by appending a payload that uses MySQL's SLEEP() function to induce a time delay, confirming the vulnerability through measurable response delays.

The payload structure involves closing the original string, concatenating a nested SELECT statement that triggers the delay, and then reopening the string, enabling time-based blind SQL injection.

Impact Analysis

This vulnerability can have severe impacts including:

  • Enumeration and extraction of all administrative credentials, customer data, and order history.
  • Authentication bypass to gain admin panel access without valid credentials using boolean-based payloads.
  • Unauthorized data manipulation such as altering menu items, prices, and orders.
  • Full database dumps using automated tools like sqlmap.

The impact is severe due to the lack of authentication requirements, direct targeting of the admin login, and the potential for full system compromise. Sensitive customer personally identifiable information (PII), payment data, and the integrity of the entire ordering system are at significant risk.

Detection Guidance

This vulnerability can be detected by sending specially crafted POST requests to the /admin.php endpoint, targeting the "username" parameter with time-based blind SQL injection payloads. The detection relies on measuring response delays caused by the injected SQL SLEEP() function.

A typical detection command involves using tools like curl or automated SQL injection tools such as sqlmap to send payloads that cause a delay in the server response if the vulnerability is present.

  • Example curl command to test the vulnerability by injecting a time delay payload in the username parameter:
  • curl -X POST https://targetsite/admin.php -F "username=admin' AND (SELECT IF(SLEEP(5),1,0))-- " -F "password=any"
  • If the response time is significantly delayed (e.g., 3 to 5 seconds), it indicates the presence of the SQL injection vulnerability.
  • Alternatively, use sqlmap to automate detection and exploitation:
  • sqlmap -u https://targetsite/admin.php --data="username=admin&password=any" --method=POST --technique=T --time-sec=5
Mitigation Strategies

Immediate mitigation steps include:

  • Restrict access to the /admin.php endpoint by IP whitelisting or VPN to limit exposure to trusted users only.
  • Implement input validation and parameterized queries or prepared statements in the admin login module to prevent SQL injection.
  • Apply web application firewall (WAF) rules to detect and block SQL injection payloads targeting the username parameter.
  • Monitor server logs for unusual delays or suspicious POST requests to /admin.php.
  • If possible, temporarily disable the admin login module or restrict its functionality until a patch or fix is applied.
Compliance Impact

This vulnerability allows unauthenticated remote attackers to perform SQL injection on the admin login module, potentially leading to unauthorized access to administrative credentials, customer data, and order history.

The exposure and potential manipulation of sensitive customer personally identifiable information (PII) and payment data pose significant risks to compliance with data protection regulations such as GDPR and HIPAA.

Organizations using the affected system may fail to meet requirements for protecting sensitive data, maintaining data integrity, and preventing unauthorized access, which are core principles of these standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4844. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart