Plataforma
php
Componente
cvesmarz
Corrigido em
1.0.1
A cross-site scripting (XSS) vulnerability has been identified in the Online Food Ordering System version 1.0. This flaw allows attackers to inject malicious scripts into the application, potentially compromising user data and session integrity. The vulnerability resides in the /dbfood/contact.php file, specifically within the handling of the 'Name' argument. A public exploit is available, increasing the risk of exploitation.
Successful exploitation of CVE-2026-4898 allows an attacker to execute arbitrary JavaScript code within the context of a victim's browser session. This can lead to various malicious actions, including session hijacking, credential theft, and redirection to phishing sites. The attacker could potentially gain access to sensitive user data, such as order history, payment information, and personal details. Given the publicly available exploit, the risk of widespread exploitation is significant, particularly for systems with vulnerable configurations.
This vulnerability has a public proof-of-concept available, indicating a relatively high likelihood of exploitation. The CVE was published on 2026-03-26. The EPSS score is likely to be medium, reflecting the ease of exploitation and the potential impact. No active campaigns have been publicly reported as of this date, but the availability of a PoC increases the risk of opportunistic attacks.
Organizations utilizing the Online Food Ordering System version 1.0, particularly those with publicly accessible instances, are at risk. Shared hosting environments where multiple users share the same server resources are especially vulnerable, as a compromise of one user's account could potentially impact others.
• php / web:
curl -I 'http://your-target-domain.com/dbfood/contact.php?Name=<script>alert(1)</script>' | grep -i content-type• generic web:
curl -s 'http://your-target-domain.com/dbfood/contact.php?Name=<script>alert(1)</script>' | grep 'alert(1)'disclosure
Status do Exploit
EPSS
0.03% (percentil 10%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2026-4898 is to upgrade to a patched version of the Online Food Ordering System. As no fixed version is specified, thoroughly review the codebase for the vulnerable parameter handling in /dbfood/contact.php. Input validation and sanitization are crucial. Implement strict input validation on the 'Name' parameter to prevent the injection of malicious scripts. Consider using a Web Application Firewall (WAF) with XSS protection rules to filter out malicious requests. Regularly scan the application for vulnerabilities using automated tools.
Atualizar o sistema de pedidos de comida online para uma versão posterior à 1.0 ou aplicar um patch que corrija a vulnerabilidade de Cross-Site Scripting (XSS) no arquivo contact.php. Validar e sanitizar a entrada do usuário no campo 'Nome' para evitar a injeção de código malicioso.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2026-4898 is a cross-site scripting (XSS) vulnerability affecting Online Food Ordering System version 1.0, allowing attackers to inject malicious scripts via the /dbfood/contact.php file.
If you are using Online Food Ordering System version 1.0, you are potentially affected. Review the vulnerable file and implement input validation.
Upgrade to a patched version of the Online Food Ordering System. Implement strict input validation on the 'Name' parameter in /dbfood/contact.php and consider using a WAF.
A public proof-of-concept exists, increasing the likelihood of exploitation. Monitor your systems for suspicious activity.
Refer to the Online Food Ordering System project's official website or security advisory page for updates and patches related to CVE-2026-4898.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.