Platform
other
Component
order-up-online-ordering-system
Fixed in
1.0.1
CVE-2026-24494 describes a critical SQL Injection vulnerability discovered in the Order Up Online Ordering System. This flaw allows an unauthenticated attacker to directly access sensitive backend database data. The vulnerability impacts version 1.0 of the system, and a fix is pending; mitigation strategies are crucial until an official patch is released.
The SQL Injection vulnerability in Order Up Online Ordering System poses a significant risk. An attacker can exploit this flaw by crafting a malicious POST request to the /api/integrations/getintegrations endpoint, manipulating the store_id parameter. Successful exploitation allows the attacker to bypass authentication and directly query the backend database. This could lead to the exfiltration of sensitive data such as customer information (names, addresses, payment details), order history, and potentially even administrative credentials. The blast radius extends to any data stored within the database, and the lack of authentication requirements means virtually anyone can attempt exploitation.
CVE-2026-24494 was publicly disclosed on 2026-02-23. The vulnerability's simplicity and the lack of authentication make it a high-probability target. While no public proof-of-concept (PoC) has been observed as of this writing, the ease of exploitation suggests that it could quickly become a target for automated scanning and exploitation tools. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.07% (21% percentile)
CISA SSVC
CVSS Vector
Given the severity and the lack of a readily available patch, immediate mitigation steps are essential. First, implement strict input validation on the store_id parameter in the /api/integrations/getintegrations endpoint. This should include whitelisting allowed characters and lengths, and sanitizing any potentially malicious input. Consider using a Web Application Firewall (WAF) with SQL Injection protection rules to block suspicious requests. If possible, restrict access to the endpoint to trusted networks or IP addresses. Regularly monitor application logs for unusual database queries or error messages that might indicate an attempted exploitation. After implementing these mitigations, verify their effectiveness by attempting to reproduce the vulnerability with a controlled test request.
Update to a patched version of the Order Up Online Ordering System. Contact the vendor for the corrected version or apply the recommended mitigations in the SpartansSec article.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-24494 is a critical SQL Injection vulnerability affecting Order Up Online Ordering System version 1.0, allowing unauthorized database access via a crafted request.
If you are using Order Up Online Ordering System version 1.0, you are potentially affected by this vulnerability and should implement mitigation strategies immediately.
A patch is pending. Implement input validation, WAF rules, and restrict access to the vulnerable endpoint until a fix is released.
While no active exploitation has been confirmed, the vulnerability's simplicity makes it a likely target for attackers.
Please refer to the Order Up Online Ordering System website or security channels for the official advisory regarding CVE-2026-24494.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.