Plataforma
php
Componente
cvesmarz
Corregido en
1.0.1
A cross-site scripting (XSS) vulnerability has been identified in the Online Food Ordering System version 1.0. This flaw allows attackers to inject malicious scripts into the application, potentially compromising user data and session integrity. The vulnerability resides in the /dbfood/contact.php file, specifically within the handling of the 'Name' argument. A public exploit is available, increasing the risk of exploitation.
Successful exploitation of CVE-2026-4898 allows an attacker to execute arbitrary JavaScript code within the context of a victim's browser session. This can lead to various malicious actions, including session hijacking, credential theft, and redirection to phishing sites. The attacker could potentially gain access to sensitive user data, such as order history, payment information, and personal details. Given the publicly available exploit, the risk of widespread exploitation is significant, particularly for systems with vulnerable configurations.
This vulnerability has a public proof-of-concept available, indicating a relatively high likelihood of exploitation. The CVE was published on 2026-03-26. The EPSS score is likely to be medium, reflecting the ease of exploitation and the potential impact. No active campaigns have been publicly reported as of this date, but the availability of a PoC increases the risk of opportunistic attacks.
Organizations utilizing the Online Food Ordering System version 1.0, particularly those with publicly accessible instances, are at risk. Shared hosting environments where multiple users share the same server resources are especially vulnerable, as a compromise of one user's account could potentially impact others.
• php / web:
curl -I 'http://your-target-domain.com/dbfood/contact.php?Name=<script>alert(1)</script>' | grep -i content-type• generic web:
curl -s 'http://your-target-domain.com/dbfood/contact.php?Name=<script>alert(1)</script>' | grep 'alert(1)'disclosure
Estado del Exploit
EPSS
0.03% (10% percentil)
CISA SSVC
The primary mitigation for CVE-2026-4898 is to upgrade to a patched version of the Online Food Ordering System. As no fixed version is specified, thoroughly review the codebase for the vulnerable parameter handling in /dbfood/contact.php. Input validation and sanitization are crucial. Implement strict input validation on the 'Name' parameter to prevent the injection of malicious scripts. Consider using a Web Application Firewall (WAF) with XSS protection rules to filter out malicious requests. Regularly scan the application for vulnerabilities using automated tools.
Actualizar el sistema de pedidos de comida en línea code-projects a una versión posterior a la 1.0 o aplicar un parche que corrija la vulnerabilidad de Cross-Site Scripting (XSS) en el archivo contact.php. Validar y sanitizar la entrada del usuario en el campo 'Nombre' para evitar la inyección de código malicioso.
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2026-4898 is a cross-site scripting (XSS) vulnerability affecting Online Food Ordering System version 1.0, allowing attackers to inject malicious scripts via the /dbfood/contact.php file.
If you are using Online Food Ordering System version 1.0, you are potentially affected. Review the vulnerable file and implement input validation.
Upgrade to a patched version of the Online Food Ordering System. Implement strict input validation on the 'Name' parameter in /dbfood/contact.php and consider using a WAF.
A public proof-of-concept exists, increasing the likelihood of exploitation. Monitor your systems for suspicious activity.
Refer to the Online Food Ordering System project's official website or security advisory page for updates and patches related to CVE-2026-4898.
Vector CVSS
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.