CVE-2026-2136
7.3 HIGHPublished 2026-02-08 · Modified 2026-02-09 · Undergoing Analysis
Quick Summary
A vulnerability in the Online Food Ordering System version 1.0 allows remote attackers to inject malicious SQL commands through the 'ID' parameter in the /view-ticket.php file. This matters because it can let attackers steal or manipulate the database without needing special access.
Who is affected
Anyone using the affected version 1.0 of the software is at risk. An attacker could access, modify, or delete sensitive data in the database, such as customer orders and personal information.
Recommended fix
Apply any official patch from the vendor immediately. If a patch is not available, implement strict input validation and use parameterized queries for the /view-ticket.php file to block SQL injection.
Technical Description
A flaw has been found in projectworlds Online Food Ordering System 1.0. This affects an unknown function of the file /view-ticket.php. Executing a manipulation of the argument ID can lead to sql injection. It is possible to launch the attack remotely. The exploit has been published and may be used.
CVSS Details
Attack Vector
NETWORK
Complexity
LOW
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CWE
CWE-89, CWE-74