Cyber Resilience

CVE-2026-4319

MediumPublic PoC

Published: 17 March 2026

Published
17 March 2026
Modified
08 April 2026
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0033 24.3th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-4319 is a medium-severity Injection (CWE-74) vulnerability in Carmelo Simple Food Order System. Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-4319 is a SQL injection vulnerability (CWE-74, CWE-89) in code-projects Simple Food Order System 1.0. The flaw affects an unknown functionality within the file /routers/add-item.php, where manipulation of the price argument triggers the injection. Published on 2026-03-17, it carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).

The vulnerability enables remote exploitation without authentication, privileges, or user interaction. Attackers can launch SQL injection attacks over the network with low complexity, potentially achieving low-level impacts on confidentiality, integrity, and availability, such as unauthorized data access, modification, or disruption.

Advisories and details are documented on VulDB (ctiid.351363, id.351363, submit.772662), with a public exploit available via a GitHub issue at github.com/6Justdododo6/CVE/issues/14 and the software source at code-projects.org. No specific patches or mitigations are detailed in the primary description.

The exploit is publicly available and might be used in real-world attacks.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A vulnerability was identified in code-projects Simple Food Order System 1.0. Affected by this vulnerability is an unknown functionality of the file /routers/add-item.php. Such manipulation of the argument price leads to sql injection. The attack can be launched remotely. The…

more

exploit is publicly available and might be used.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct remote SQL injection in a public-facing web application (/routers/add-item.php) enables exploitation via T1190 without auth or interaction.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-5018Same product: Carmelo Simple Food Order System
CVE-2026-5017Same product: Carmelo Simple Food Order System
CVE-2026-5019Same product: Carmelo Simple Food Order System
CVE-2026-26711Same product: Carmelo Simple Food Order System
CVE-2026-26712Same product: Carmelo Simple Food Order System
CVE-2026-26710Same product: Carmelo Simple Food Order System
CVE-2026-4533Same product: Carmelo Simple Food Order System
CVE-2026-26713Same product: Carmelo Simple Food Order System
CVE-2026-4532Same product: Carmelo Simple Food Order System
CVE-2026-3705Same vendor: Carmelo

Affected Assets

carmelo
simple food order system
1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 directly prevents SQL injection by requiring validation of the manipulable 'price' argument in /routers/add-item.php before database queries.

prevent

SI-2 requires identification, reporting, and correction of the specific SQL injection flaw in the Simple Food Order System 1.0.

prevent

SI-9 restricts the 'price' input parameter to safe formats like numeric values only, blocking SQL injection payloads.

References