CVE-2026-5157
Received Received - Intake
Cross-Site Scripting in Online Food Ordering System Order Module

Publication date: 2026-03-31

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was identified in code-projects Online Food Ordering System 1.0. Affected is an unknown function of the file /form/order.php of the component Order Module. Such manipulation of the argument cust_id leads to cross site scripting. The attack may be performed from remote. The exploit is publicly available and might be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-31
Last Modified
2026-04-29
Generated
2026-05-07
AI Q&A
2026-03-31
EPSS Evaluated
2026-05-05
NVD
CVE-2026-5157
EUVD
EUVD-2026-17253
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
code-projects online_food_ordering_system 1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-5157 is a Reflected Cross-Site Scripting (XSS) vulnerability found in the Online Food Ordering System 1.0 by code-projects.org. It exists in the order module, specifically in the file /form/order.php, where the cust_id parameter is processed via HTTP GET requests.

The root cause is that the application does not properly sanitize or encode the cust_id parameter before reflecting it in the HTML response. This means user-supplied input is directly embedded into the page without validation or output encoding, allowing an attacker to inject and execute arbitrary JavaScript code.

An attacker can craft a malicious URL containing JavaScript in the cust_id parameter. When a victim visits this URL, the injected script runs in their browser, potentially stealing session cookies, hijacking sessions, redirecting users, injecting malicious content, or harvesting credentials.


How can this vulnerability impact me? :

This vulnerability can have several negative impacts on users and the system:

  • Attackers can steal session cookies, allowing them to hijack authenticated user sessions.
  • Users can be redirected to malicious websites without their consent.
  • Malicious scripts can be injected into the web page, potentially leading to credential theft or other malicious activities.
  • It can compromise user trust and the integrity of the online food ordering system.

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by testing the vulnerable parameter `cust_id` in the URL for reflected cross-site scripting (XSS). You can craft a URL with a JavaScript payload in the `cust_id` parameter and observe if the script executes in the browser.

For example, accessing the URL below will trigger an alert if the vulnerability exists:

  • http://localhost/dbfood/form/order.php?cust_id=<script>alert(document.cookie)</script>

If the alert with the document cookie appears, it confirms the presence of the XSS vulnerability.

Additionally, you can use tools like curl or wget to send the crafted GET request and inspect the response for unencoded script tags.

  • curl -i "http://localhost/dbfood/form/order.php?cust_id=<script>alert(1)</script>"
  • Observe the response HTML for the presence of the injected script tag without encoding.

What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include sanitizing and validating the `cust_id` parameter to prevent script injection.

  • Apply output encoding to the `cust_id` parameter before rendering it in HTML, for example using PHP's htmlspecialchars function:
  • $cust_id = htmlspecialchars($_GET['cust_id'], ENT_QUOTES, 'UTF-8');
  • Validate the input to ensure it contains only expected values, such as casting to an integer:
  • $cust_id = intval($_GET['cust_id']);
  • Implement a Content Security Policy (CSP) header to restrict script execution, for example:
  • Content-Security-Policy: default-src 'self'; script-src 'self';

Follow secure development practices by never reflecting user input directly into HTML without encoding and applying strict input validation.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The vulnerability is a Reflected Cross-Site Scripting (XSS) issue that allows attackers to execute arbitrary JavaScript in the context of the victim's browser. This can lead to session hijacking, credential theft, and unauthorized access to user data.

Such unauthorized access and potential data breaches can negatively impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and ensuring data integrity and confidentiality.

Failure to remediate this vulnerability could result in violations of these standards due to exposure of user credentials and session data, potentially leading to regulatory penalties and loss of user trust.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart