Cyber Resilience

CVE-2026-4615

Medium

Published: 24 March 2026

Published
24 March 2026
Modified
24 April 2026
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0001 2.9th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-4615 is a medium-severity Injection (CWE-74) vulnerability in Sourcecodester (inferred from references). Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 2.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-4615 is a SQL injection vulnerability in SourceCodester Online Catering Reservation 1.0. The issue affects an unknown function in the /search.php file, where manipulation of the 'rcode' argument enables SQL code injection. It is classified under CWE-74 and CWE-89.

The vulnerability is remotely exploitable by unauthenticated attackers (PR:N) with low attack complexity (AC:L) and no user interaction required (UI:N), resulting in unchanged scope (S:U). Exploitation yields low impacts on confidentiality, integrity, and availability (C:L/I:L/A:L), for an overall CVSS v3.1 base score of 7.3. A public exploit is available and might be used.

Advisories on VulDB (ctiid.352479, id.352479, submit.775735) document the vulnerability details. Additional information and the exploit are provided in a GitHub repository at https://github.com/WHOAMI-xiaoyu/CVE/blob/main/CVE_5.md. The vendor site is at https://www.sourcecodester.com/.

EU & UK References

Vulnerability details

A vulnerability was identified in SourceCodester Online Catering Reservation 1.0. Impacted is an unknown function of the file /search.php. Such manipulation of the argument rcode leads to sql injection. The attack may be performed from remote. The exploit is publicly…

more

available and might be used.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Unauthenticated remote SQL injection in public-facing web app (/search.php) directly enables initial access via exploitation of a public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-3150Shared CWE-74, CWE-89
CVE-2026-3746Shared CWE-74, CWE-89
CVE-2025-2683Shared CWE-74, CWE-89
CVE-2026-5238Shared CWE-74, CWE-89
CVE-2026-4288Shared CWE-74, CWE-89
CVE-2026-2220Shared CWE-74, CWE-89
CVE-2025-1535Shared CWE-74, CWE-89
CVE-2026-0597Shared CWE-74, CWE-89
CVE-2026-1688Shared CWE-74, CWE-89
CVE-2026-5018Shared CWE-74, CWE-89

Affected Assets

Sourcecodester
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents SQL injection by validating and sanitizing the 'rcode' input parameter in /search.php against injection attempts.

prevent

Requires timely identification, reporting, and correction of the SQL injection flaw in CVE-2026-4615 to eliminate the vulnerability.

preventdetect

Enforces boundary protection at web interfaces to monitor and block SQL injection payloads targeting the vulnerable /search.php endpoint.

References