CVE-2026-4532

MediumPublic PoC

Published: 22 March 2026

Published

22 March 2026

Modified

10 April 2026

KEV Added

—

Patch

—

CVSS Score 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS Score 0.0005 16.7th percentile

Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-4532 is a medium-severity Forced Browsing (CWE-425) vulnerability in Carmelo Simple Food Order System. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 16.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and CM-6 (Configuration Settings).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

CM-6 Configuration Settings good match

prevent

Establishes secure configuration settings for the Database Backup Handler to prevent exposure of files and directories as recommended by advisories.

SI-10 Information Input Validation good match

prevent

Validates inputs to the backup handler functionality to block manipulation leading to unauthorized file or directory access via path traversal or forced browsing.

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations to restrict unauthenticated remote access to sensitive files and directories in the vulnerable /food/sql/food.sql component.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1005 Data from Local System Collection

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

attack.mitre.org →

Why these techniques?

Public-facing web app file disclosure vuln (forced browsing of DB backup) directly enables T1190 exploitation for initial access and T1005 collection of local system files/data.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A security vulnerability has been detected in code-projects Simple Food Ordering System up to 1.0. Affected by this vulnerability is an unknown functionality of the file /food/sql/food.sql of the component Database Backup Handler. The manipulation leads to files or directories…

accessible. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. It is recommended to change the configuration settings.

Deeper analysisAI

CVE-2026-4532 is a security vulnerability in the code-projects Simple Food Ordering System up to version 1.0, affecting an unknown functionality of the file /food/sql/food.sql within the Database Backup Handler component. The manipulation leads to files or directories accessible, corresponding to CWE-425 (Direct Request ('Forced Browsing')) and CWE-552 (Files or Directories Accessible to External Parties). It carries a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) and was published on 2026-03-22.

The vulnerability enables remote exploitation by unauthenticated attackers requiring low attack complexity and no user interaction. Attackers can achieve limited disclosure of confidential information, such as access to files or directories, without affecting integrity or availability.

Advisories, including those from VulDB, recommend changing configuration settings to mitigate the issue. References such as the project's site, a GitHub repository detailing the information disclosure, and VulDB entries confirm the vulnerability details.

The exploit has been publicly disclosed and may be used, increasing the risk for unpatched instances of the affected software.

Details

CWE(s): CWE-425 CWE-552

Affected Products

carmelo

simple food order system

1.0

CVEs Like This One

CVE-2026-5019Same product: Carmelo Simple Food Order System

CVE-2026-5018Same product: Carmelo Simple Food Order System

CVE-2026-26711Same product: Carmelo Simple Food Order System

CVE-2026-26710Same product: Carmelo Simple Food Order System

CVE-2026-26712Same product: Carmelo Simple Food Order System

CVE-2026-5017Same product: Carmelo Simple Food Order System

CVE-2026-4319Same product: Carmelo Simple Food Order System

CVE-2026-4533Same product: Carmelo Simple Food Order System

CVE-2026-26713Same product: Carmelo Simple Food Order System

CVE-2026-0699Same vendor: Carmelo

References

https://code-projects.org/
Product · cna@vuldb.com
https://github.com/ahmadmarz10-hub/CVEsMarz/blob/main/Simple%20Food%20Ordering%20System%20Information%20Disclosure%20%20.md
Exploit, Mitigation, Third Party Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.352320
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.352320
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.774338
Third Party Advisory, VDB Entry · cna@vuldb.com