CVE-2026-4319
Published: 17 March 2026
Summary
CVE-2026-4319 is a high-severity Injection (CWE-74) vulnerability in Carmelo Simple Food Order System. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 directly prevents SQL injection by requiring validation of the manipulable 'price' argument in /routers/add-item.php before database queries.
SI-2 requires identification, reporting, and correction of the specific SQL injection flaw in the Simple Food Order System 1.0.
SI-9 restricts the 'price' input parameter to safe formats like numeric values only, blocking SQL injection payloads.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct remote SQL injection in a public-facing web application (/routers/add-item.php) enables exploitation via T1190 without auth or interaction.
NVD Description
A vulnerability was identified in code-projects Simple Food Order System 1.0. Affected by this vulnerability is an unknown functionality of the file /routers/add-item.php. Such manipulation of the argument price leads to sql injection. The attack can be launched remotely. The…
more
exploit is publicly available and might be used.
Deeper analysisAI
CVE-2026-4319 is a SQL injection vulnerability (CWE-74, CWE-89) in code-projects Simple Food Order System 1.0. The flaw affects an unknown functionality within the file /routers/add-item.php, where manipulation of the price argument triggers the injection. Published on 2026-03-17, it carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).
The vulnerability enables remote exploitation without authentication, privileges, or user interaction. Attackers can launch SQL injection attacks over the network with low complexity, potentially achieving low-level impacts on confidentiality, integrity, and availability, such as unauthorized data access, modification, or disruption.
Advisories and details are documented on VulDB (ctiid.351363, id.351363, submit.772662), with a public exploit available via a GitHub issue at github.com/6Justdododo6/CVE/issues/14 and the software source at code-projects.org. No specific patches or mitigations are detailed in the primary description.
The exploit is publicly available and might be used in real-world attacks.
Details
- CWE(s)