CVE-2026-4533
Published: 22 March 2026
Summary
CVE-2026-4533 is a medium-severity Injection (CWE-74) vulnerability in Carmelo Simple Food Order System. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents SQL injection by validating and sanitizing user inputs such as the Status argument in all-tickets.php.
Remediates the specific SQL injection flaw in the Simple Food Ordering System by identifying, reporting, and correcting the vulnerable code.
Detects the SQL injection vulnerability through regular scanning, enabling timely remediation before exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in a web-based ordering system directly enables remote exploitation of a public-facing application (T1190) and facilitates unauthorized data access/modification from the backend database (T1213.006) via crafted queries on the Status parameter.
NVD Description
A vulnerability was detected in code-projects Simple Food Ordering System 1.0. Affected by this issue is some unknown functionality of the file all-tickets.php. The manipulation of the argument Status results in sql injection. It is possible to launch the attack…
more
remotely. The exploit is now public and may be used.
Deeper analysisAI
CVE-2026-4533 is a SQL injection vulnerability (CWE-74, CWE-89) in the code-projects Simple Food Ordering System version 1.0. The issue affects an unknown functionality within the file all-tickets.php, where manipulation of the Status argument enables injection. It carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) and was published on 2026-03-22.
The vulnerability can be exploited remotely by an attacker with low privileges, such as an authenticated user, due to the low attack complexity and lack of required user interaction. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, potentially enabling data extraction, modification, or denial of service through SQL queries.
Advisories and references, including those from VulDB (ctiid.352321, id.352321, submit.774341) and a GitHub proof-of-concept detailing a time-based blind SQL injection, are available but do not specify patches or detailed mitigations in the provided information. The exploit is public and may be used.
Notable context includes the public availability of the exploit, increasing the risk of active exploitation against unpatched instances of this system.
Details
- CWE(s)