1.0.1
A cross-site scripting (XSS) vulnerability has been identified in the Online Food Ordering System version 1.0. This flaw allows attackers to inject malicious scripts into the application, potentially compromising user data and session integrity. The vulnerability resides in the /dbfood/contact.php file, specifically within the handling of the 'Name' argument. A public exploit is available, increasing the risk of exploitation.
Successful exploitation of CVE-2026-4898 allows an attacker to execute arbitrary JavaScript code within the context of a victim's browser session. This can lead to various malicious actions, including session hijacking, credential theft, and redirection to phishing sites. The attacker could potentially gain access to sensitive user data, such as order history, payment information, and personal details. Given the publicly available exploit, the risk of widespread exploitation is significant, particularly for systems with vulnerable configurations.
This vulnerability has a public proof-of-concept available, indicating a relatively high likelihood of exploitation. The CVE was published on 2026-03-26. The EPSS score is likely to be medium, reflecting the ease of exploitation and the potential impact. No active campaigns have been publicly reported as of this date, but the availability of a PoC increases the risk of opportunistic attacks.
Organizations utilizing the Online Food Ordering System version 1.0, particularly those with publicly accessible instances, are at risk. Shared hosting environments where multiple users share the same server resources are especially vulnerable, as a compromise of one user's account could potentially impact others.
• php / web:
curl -I 'http://your-target-domain.com/dbfood/contact.php?Name=<script>alert(1)</script>' | grep -i content-type• generic web:
curl -s 'http://your-target-domain.com/dbfood/contact.php?Name=<script>alert(1)</script>' | grep 'alert(1)'disclosure
漏洞利用状态
EPSS
0.03% (10% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2026-4898 is to upgrade to a patched version of the Online Food Ordering System. As no fixed version is specified, thoroughly review the codebase for the vulnerable parameter handling in /dbfood/contact.php. Input validation and sanitization are crucial. Implement strict input validation on the 'Name' parameter to prevent the injection of malicious scripts. Consider using a Web Application Firewall (WAF) with XSS protection rules to filter out malicious requests. Regularly scan the application for vulnerabilities using automated tools.
将 Online Food Ordering System 系统更新到 1.0 以上的版本,或应用一个补丁来修复 contact.php 文件的跨站脚本 (XSS) 漏洞。验证和清理 'Name' 字段中的用户输入,以防止恶意代码注入。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-4898 is a cross-site scripting (XSS) vulnerability affecting Online Food Ordering System version 1.0, allowing attackers to inject malicious scripts via the /dbfood/contact.php file.
If you are using Online Food Ordering System version 1.0, you are potentially affected. Review the vulnerable file and implement input validation.
Upgrade to a patched version of the Online Food Ordering System. Implement strict input validation on the 'Name' parameter in /dbfood/contact.php and consider using a WAF.
A public proof-of-concept exists, increasing the likelihood of exploitation. Monitor your systems for suspicious activity.
Refer to the Online Food Ordering System project's official website or security advisory page for updates and patches related to CVE-2026-4898.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。