CVE-2026-26712
Published: 02 March 2026
Summary
CVE-2026-26712 is a critical-severity SQL Injection (CWE-89) vulnerability in Carmelo Simple Food Order System. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-26712 is an SQL Injection vulnerability (CWE-89) in code-projects Simple Food Order System v1.0, specifically affecting the /food/view-ticket-admin.php component. Published on 2026-03-02T20:16:26.990, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), classifying it as critical.
The vulnerability can be exploited by unauthenticated remote attackers over the network with low complexity and no user interaction required. Successful exploitation enables high-impact compromise of confidentiality, integrity, and availability, allowing attackers to execute arbitrary SQL queries, potentially leading to data extraction, modification, or deletion.
Mitigation details are documented in the advisory at https://github.com/Thirtypenny77/bug_report/blob/main/code-projects/simple-food-order-system/SQL-1.md.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-9260
Vulnerability details
code-projects Simple Food Order System v1.0 is vulnerable to SQL Injection in /food/view-ticket-admin.php.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote SQL injection in a public-facing web app (/food/view-ticket-admin.php) directly enables initial access via exploitation of a public-facing application (T1190).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Information input validation directly prevents SQL injection by sanitizing and validating user inputs to /food/view-ticket-admin.php before database queries.
Flaw remediation addresses the specific SQL injection vulnerability through identification, prioritization, and correction of the flawed code.
Vulnerability monitoring and scanning identifies SQL injection flaws like CVE-2026-26712 and triggers timely remediation.