CVE-2026-14622
Received Received - Intake

Authentication Bypass in Restaurant Website PHP MySQL

Vulnerability report for CVE-2026-14622, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-04

Last updated on: 2026-07-04

Assigner: VulDB

Description

A vulnerability was found in jairiidriss restaurant-website-php-mysql up to 521428b5b612449df0cf4a5d15ee40cba67f3d35. This vulnerability affects unknown code of the file /admin/ajax_files of the component AJAX Endpoint. Performing a manipulation results in missing authentication. The attack is possible to be carried out remotely. The exploit has been made public and could be used. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. The project was informed of the problem early through an issue report but has not responded yet.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-04
Last Modified
2026-07-04
Generated
2026-07-04
AI Q&A
2026-07-04
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
jairiidriss restaurant_website_php_mysql to 521428b5b612449df0cf4a5d15ee40cba67f3d35 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the restaurant-website-php-mysql project, specifically in the administrative AJAX endpoints such as menus_ajax.php, dashboard_ajax.php, menu_categories_ajax.php, and gallery_ajax.php.

These AJAX handlers perform sensitive administrative actions like deleting menus, modifying orders, managing categories, and uploading images without validating administrator sessions.

Because these endpoints lack session initialization or authentication validation, unauthenticated remote attackers can exploit this to perform unauthorized administrative operations.

The root cause is the absence of proper access controls and session checks in these AJAX files, even though the main admin pages enforce authentication.

A fix would require implementing mandatory session authentication checks before processing requests in all affected AJAX handlers.

Impact Analysis

This vulnerability allows unauthenticated remote attackers to perform unauthorized administrative actions on the affected website.

  • Attackers can delete menu items.
  • Attackers can cancel orders.
  • Attackers can add or delete menu categories.
  • Attackers can upload arbitrary images.

Such unauthorized actions can disrupt business operations, cause data loss or corruption, and potentially damage the reputation of the affected restaurant website.

Detection Guidance

This vulnerability can be detected by monitoring for unauthorized access attempts to the administrative AJAX endpoints such as menus_ajax.php, dashboard_ajax.php, menu_categories_ajax.php, and gallery_ajax.php. Since these endpoints lack authentication checks, any requests to these URLs without a valid session could indicate exploitation attempts.

You can use network monitoring tools or web server logs to identify suspicious HTTP requests targeting these AJAX endpoints. For example, using command-line tools like curl or wget to test access without authentication can help confirm the vulnerability.

  • curl -I http://yourserver/admin/ajax_files/menus_ajax.php
  • curl -X POST http://yourserver/admin/ajax_files/dashboard_ajax.php -d 'action=delete_menu&id=1'

Additionally, reviewing web server access logs for requests to these AJAX endpoints without valid session cookies or tokens can help detect exploitation attempts.

Mitigation Strategies

Immediate mitigation involves implementing mandatory session authentication checks before processing any requests in the affected AJAX handlers. This means verifying that the user is authenticated as an administrator before allowing any administrative actions.

Specifically, ensure that all AJAX endpoint files such as menus_ajax.php, dashboard_ajax.php, menu_categories_ajax.php, and gallery_ajax.php initialize sessions and validate administrator sessions before executing any code.

If a patch or update is available from the project maintainers, apply it as soon as possible. Until then, restricting access to these AJAX endpoints via network controls (e.g., firewall rules or IP whitelisting) can reduce exposure.

Compliance Impact

The vulnerability allows unauthenticated remote attackers to perform administrative actions such as deleting menu items, canceling orders, managing categories, and uploading arbitrary images without proper authentication checks.

This missing authentication in administrative AJAX endpoints could lead to unauthorized access and manipulation of sensitive data, which may violate compliance requirements for data protection and access control under standards like GDPR and HIPAA.

Specifically, the lack of session validation and access controls increases the risk of data breaches and unauthorized data modification, potentially impacting confidentiality, integrity, and availability of personal or sensitive information.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-14622. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart