CVE-2026-4615
Published: 24 March 2026
Summary
CVE-2026-4615 is a medium-severity Injection (CWE-74) vulnerability in Sourcecodester (inferred from references). Its CVSS base score is 6.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 2.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-4615 is a SQL injection vulnerability in SourceCodester Online Catering Reservation 1.0. The issue affects an unknown function in the /search.php file, where manipulation of the 'rcode' argument enables SQL code injection. It is classified under CWE-74 and CWE-89.
The vulnerability is remotely exploitable by unauthenticated attackers (PR:N) with low attack complexity (AC:L) and no user interaction required (UI:N), resulting in unchanged scope (S:U). Exploitation yields low impacts on confidentiality, integrity, and availability (C:L/I:L/A:L), for an overall CVSS v3.1 base score of 7.3. A public exploit is available and might be used.
Advisories on VulDB (ctiid.352479, id.352479, submit.775735) document the vulnerability details. Additional information and the exploit are provided in a GitHub repository at https://github.com/WHOAMI-xiaoyu/CVE/blob/main/CVE_5.md. The vendor site is at https://www.sourcecodester.com/.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-14662
Vulnerability details
A vulnerability was identified in SourceCodester Online Catering Reservation 1.0. Impacted is an unknown function of the file /search.php. Such manipulation of the argument rcode leads to sql injection. The attack may be performed from remote. The exploit is publicly…
more
available and might be used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote SQL injection in public-facing web app (/search.php) directly enables initial access via exploitation of a public-facing application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents SQL injection by validating and sanitizing the 'rcode' input parameter in /search.php against injection attempts.
Requires timely identification, reporting, and correction of the SQL injection flaw in CVE-2026-4615 to eliminate the vulnerability.
Enforces boundary protection at web interfaces to monitor and block SQL injection payloads targeting the vulnerable /search.php endpoint.