CVE-2026-4841
Published: 26 March 2026
Summary
CVE-2026-4841 is a medium-severity Injection (CWE-74) vulnerability in Code Projects (inferred from references). Its CVSS base score is 6.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-4841 is a SQL injection vulnerability (CWE-74, CWE-89) in code-projects Online Food Ordering System 1.0. The issue resides in an unknown part of the file form/cart.php within the Shopping Cart Module, where manipulation of the "del" argument triggers the injection.
Unauthenticated remote attackers can exploit this vulnerability with low attack complexity, requiring no user interaction. Exploitation enables limited impacts on confidentiality, integrity, and availability, as reflected in its CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). A public exploit is available via a GitHub Gist.
VulDB advisories (ctiid.353147, id.353147, submit.776130) and the code-projects.org site document the issue, with the exploit gist providing proof-of-concept code. No specific patches are detailed in the available information, so security practitioners should review these references for mitigation recommendations and apply input validation or upgrades where possible.
The public availability of the exploit increases the risk of real-world attacks against exposed instances of this system.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-16110
Vulnerability details
A weakness has been identified in code-projects Online Food Ordering System 1.0. This affects an unknown part of the file form/cart.php of the component Shopping Cart Module. Executing a manipulation of the argument del can lead to sql injection. The…
more
attack can be executed remotely. The exploit has been made available to the public and could be used for attacks.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote SQL injection in a public-facing web application (cart.php) directly enables exploitation of exposed instances per T1190.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents SQL injection by validating and sanitizing the manipulable 'del' argument in form/cart.php before database queries.
Mandates timely flaw remediation, including patching or upgrading the vulnerable Shopping Cart Module to eliminate the SQL injection vulnerability.
Requires vulnerability scanning to identify SQL injection flaws like CVE-2026-4841 in exposed instances of the Online Food Ordering System.