Platform
php
Component
cvesmarz
Fixed in
1.0.1
A cross-site scripting (XSS) vulnerability has been identified in the Online Food Ordering System version 1.0. This flaw allows attackers to inject malicious scripts into the application, potentially compromising user data and session integrity. The vulnerability resides in the /dbfood/contact.php file, specifically within the handling of the 'Name' argument. A public exploit is available, increasing the risk of exploitation.
Successful exploitation of CVE-2026-4898 allows an attacker to execute arbitrary JavaScript code within the context of a victim's browser session. This can lead to various malicious actions, including session hijacking, credential theft, and redirection to phishing sites. The attacker could potentially gain access to sensitive user data, such as order history, payment information, and personal details. Given the publicly available exploit, the risk of widespread exploitation is significant, particularly for systems with vulnerable configurations.
This vulnerability has a public proof-of-concept available, indicating a relatively high likelihood of exploitation. The CVE was published on 2026-03-26. The EPSS score is likely to be medium, reflecting the ease of exploitation and the potential impact. No active campaigns have been publicly reported as of this date, but the availability of a PoC increases the risk of opportunistic attacks.
Exploit Status
EPSS
0.03% (10% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-4898 is to upgrade to a patched version of the Online Food Ordering System. As no fixed version is specified, thoroughly review the codebase for the vulnerable parameter handling in /dbfood/contact.php. Input validation and sanitization are crucial. Implement strict input validation on the 'Name' parameter to prevent the injection of malicious scripts. Consider using a Web Application Firewall (WAF) with XSS protection rules to filter out malicious requests. Regularly scan the application for vulnerabilities using automated tools.
Update the Online Food Ordering System to a version later than 1.0 or apply a patch that corrects the Cross-Site Scripting (XSS) vulnerability in the contact.php file. Validate and sanitize user input in the 'Name' field to prevent the injection of malicious code.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-4898 is a cross-site scripting (XSS) vulnerability affecting Online Food Ordering System version 1.0, allowing attackers to inject malicious scripts via the /dbfood/contact.php file.
If you are using Online Food Ordering System version 1.0, you are potentially affected. Review the vulnerable file and implement input validation.
Upgrade to a patched version of the Online Food Ordering System. Implement strict input validation on the 'Name' parameter in /dbfood/contact.php and consider using a WAF.
A public proof-of-concept exists, increasing the likelihood of exploitation. Monitor your systems for suspicious activity.
Refer to the Online Food Ordering System project's official website or security advisory page for updates and patches related to CVE-2026-4898.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.