Cyber Resilience

CVE-2026-4533

MediumPublic PoC

Published: 22 March 2026

Published
22 March 2026
Modified
02 April 2026
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0030 21.6th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-4533 is a medium-severity Injection (CWE-74) vulnerability in Carmelo Simple Food Order System. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-4533 is a SQL injection vulnerability (CWE-74, CWE-89) in the code-projects Simple Food Ordering System version 1.0. The issue affects an unknown functionality within the file all-tickets.php, where manipulation of the Status argument enables injection. It carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) and was published on 2026-03-22.

The vulnerability can be exploited remotely by an attacker with low privileges, such as an authenticated user, due to the low attack complexity and lack of required user interaction. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, potentially enabling data extraction, modification, or denial of service through SQL queries.

Advisories and references, including those from VulDB (ctiid.352321, id.352321, submit.774341) and a GitHub proof-of-concept detailing a time-based blind SQL injection, are available but do not specify patches or detailed mitigations in the provided information. The exploit is public and may be used.

Notable context includes the public availability of the exploit, increasing the risk of active exploitation against unpatched instances of this system.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A vulnerability was detected in code-projects Simple Food Ordering System 1.0. Affected by this issue is some unknown functionality of the file all-tickets.php. The manipulation of the argument Status results in sql injection. It is possible to launch the attack…

more

remotely. The exploit is now public and may be used.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1213.006 Databases Collection
Adversaries may leverage databases to mine valuable information.
Why these techniques?

SQL injection in a web-based ordering system directly enables remote exploitation of a public-facing application (T1190) and facilitates unauthorized data access/modification from the backend database (T1213.006) via crafted queries on the Status parameter.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-5018Same product: Carmelo Simple Food Order System
CVE-2026-5017Same product: Carmelo Simple Food Order System
CVE-2026-5019Same product: Carmelo Simple Food Order System
CVE-2026-4319Same product: Carmelo Simple Food Order System
CVE-2026-26711Same product: Carmelo Simple Food Order System
CVE-2026-26712Same product: Carmelo Simple Food Order System
CVE-2026-26710Same product: Carmelo Simple Food Order System
CVE-2026-26713Same product: Carmelo Simple Food Order System
CVE-2026-4532Same product: Carmelo Simple Food Order System
CVE-2026-3736Same vendor: Carmelo

Affected Assets

carmelo
simple food order system
1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents SQL injection by validating and sanitizing user inputs such as the Status argument in all-tickets.php.

prevent

Remediates the specific SQL injection flaw in the Simple Food Ordering System by identifying, reporting, and correcting the vulnerable code.

detect

Detects the SQL injection vulnerability through regular scanning, enabling timely remediation before exploitation.

References