प्लेटफ़ॉर्म
php
घटक
f7f1502ffc9f2aacc936a6e8f290b6a5
में ठीक किया गया
1.0.1
A cross-site scripting (XSS) vulnerability has been identified in Code-Projects Online Food Ordering System version 1.0. This flaw allows attackers to inject malicious scripts into the application, potentially leading to session hijacking or defacement. The vulnerability resides within the 'cust_id' parameter of the /form/order.php file within the Order Module. A fix is recommended to address this security risk.
Successful exploitation of CVE-2026-5157 enables an attacker to execute arbitrary JavaScript code within the context of a user's browser. This can lead to the theft of session cookies, allowing the attacker to impersonate the user and access sensitive data. Attackers could also inject malicious scripts to redirect users to phishing sites, display deceptive content, or modify the appearance of the application. Given the publicly available exploit, the risk of immediate exploitation is elevated, particularly for systems with weak input validation or insufficient security controls.
A public proof-of-concept exploit for CVE-2026-5157 is already available, indicating a high likelihood of active exploitation. The vulnerability was disclosed on 2026-03-30. The relatively low CVSS score of 4.3 reflects the potential for user interaction required to trigger the vulnerability, but the availability of a PoC significantly increases the risk. No KEV listing is currently available.
Organizations using Code-Projects Online Food Ordering System version 1.0, particularly those with publicly accessible instances and limited security controls, are at significant risk. Shared hosting environments where multiple users share the same server are also vulnerable, as an attacker could potentially exploit the vulnerability through another user's session.
• php / web: Examine access logs for requests to /form/order.php with unusual or suspicious values in the 'cust_id' parameter. Use grep to search for JavaScript code snippets within the application's output.
grep -i '<script' /var/log/apache2/access.log | grep /form/order.php• generic web: Use curl to test the /form/order.php endpoint with a simple XSS payload (e.g., <script>alert('XSS')</script>). Inspect the response for the alert box.
curl -X POST -d "cust_id=<script>alert('XSS')</script>" http://your-server/form/order.phpdisclosure
एक्सप्लॉइट स्थिति
EPSS
0.03% (10% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation for CVE-2026-5157 is to upgrade to a patched version of Code-Projects Online Food Ordering System. Until an upgrade is possible, implement strict input validation on the 'cust_id' parameter in /form/order.php, ensuring that it only accepts expected data types and formats. Deploy a Web Application Firewall (WAF) with rules to detect and block XSS payloads targeting this specific endpoint. Consider implementing Content Security Policy (CSP) to restrict the sources from which scripts can be executed, further limiting the impact of a successful attack. After implementing mitigations, test the /form/order.php endpoint with various input strings to verify that the vulnerability is no longer exploitable.
Online Food Ordering System को 1.0 से बाद के संस्करण में अपडेट करें, यदि उपलब्ध हो, या /form/order.php फ़ाइल में cust_id पैरामीटर के इनपुट को ठीक से फ़िल्टर और एस्केप करने के लिए एक पैच लागू करें ताकि XSS कोड इंजेक्शन से बचा जा सके।
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2026-5157 is a cross-site scripting (XSS) vulnerability in Code-Projects Online Food Ordering System version 1.0, allowing attackers to inject malicious scripts via the 'cust_id' parameter in /form/order.php.
If you are using Code-Projects Online Food Ordering System version 1.0, you are potentially affected. Upgrade to a patched version as soon as possible.
The recommended fix is to upgrade to a patched version of the software. As a temporary workaround, implement strict input validation and WAF rules.
Due to the availability of a public proof-of-concept, there is a high probability that CVE-2026-5157 is being actively exploited.
Please refer to the Code-Projects website or security mailing list for the official advisory regarding CVE-2026-5157.
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।