CVE-2026-2136
Published: 08 February 2026
Summary
CVE-2026-2136 is a medium-severity Injection (CWE-74) vulnerability in Projectworlds Online Food Ordering System. Its CVSS base score is 6.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SC-7 (Boundary Protection).
Deeper analysis
CVE-2026-2136 is a SQL injection vulnerability (CWE-74, CWE-89) in projectworlds Online Food Ordering System 1.0. The flaw resides in an unknown function within the file /view-ticket.php, where manipulation of the ID argument enables the injection.
The vulnerability is exploitable remotely by unauthenticated attackers (AV:N/AC:L/PR:N/UI:N) with low attack complexity and no user interaction required. Successful exploitation can result in limited impacts to confidentiality, integrity, and availability (C:L/I:L/A:L), yielding a CVSS v3.1 base score of 7.3. An exploit has been published and may be used.
Advisories and further details are documented in references such as https://github.com/hater-us/CVE/issues/4 and VulDB entries at https://vuldb.com/?ctiid.344771, https://vuldb.com/?id.344771, and https://vuldb.com/?submit.747230. No specific patches or mitigations are detailed in the CVE description.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-5812
Vulnerability details
A flaw has been found in projectworlds Online Food Ordering System 1.0. This affects an unknown function of the file /view-ticket.php. Executing a manipulation of the argument ID can lead to sql injection. It is possible to launch the attack…
more
remotely. The exploit has been published and may be used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated SQL injection in a public-facing web application directly enables initial access via exploitation of public-facing apps.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of the ID argument in /view-ticket.php to block SQL injection payloads before they reach the database.
Boundary protection mechanisms such as a WAF can inspect and drop remote SQL injection attempts targeting the unauthenticated view-ticket endpoint.
System monitoring can identify anomalous SQL syntax or error patterns originating from manipulation of the ID parameter.