CVE-2026-5017
Published: 28 March 2026
Summary
CVE-2026-5017 is a high-severity Injection (CWE-74) vulnerability in Carmelo Simple Food Order System. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents SQL injection in the 'Status' parameter by requiring validation of all information inputs to the /all-tickets.php function before processing.
Requires timely identification, reporting, and correction of the specific SQL injection flaw in Simple Food Order System 1.0.
Enables vulnerability scanning to identify the SQL injection vulnerability in /all-tickets.php, facilitating prioritization for remediation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in a network-accessible web app (all-tickets.php Status parameter) directly enables remote exploitation of a public-facing application without authentication or user interaction.
NVD Description
A security flaw has been discovered in code-projects Simple Food Order System 1.0. This impacts an unknown function of the file /all-tickets.php of the component Parameter Handler. Performing a manipulation of the argument Status results in sql injection. The attack…
more
can be initiated remotely. The exploit has been released to the public and may be used for attacks.
Deeper analysisAI
CVE-2026-5017 is a SQL injection vulnerability (CWE-74, CWE-89) in code-projects Simple Food Order System 1.0. The flaw affects an unknown function within the file /all-tickets.php of the Parameter Handler component, where manipulation of the 'Status' argument enables the injection. Published on 2026-03-28, it carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating high severity due to its network accessibility and ease of exploitation.
Unauthenticated remote attackers can exploit this vulnerability with low complexity and no user interaction required. By crafting malicious requests targeting the 'Status' parameter, attackers can execute arbitrary SQL queries, potentially leading to limited impacts on confidentiality (e.g., data exposure), integrity (e.g., data alteration), and availability (e.g., denial of service). A public exploit has been released, facilitating widespread attacks.
Advisories referenced in VulDB entries (e.g., https://vuldb.com/vuln/353902) and a GitHub issue (https://github.com/6Justdododo6/CVE/issues/15) document the issue, along with the project site at https://code-projects.org/. No specific patches or mitigation steps are detailed in the available disclosure.
The public availability of the exploit heightens the risk of real-world exploitation against unpatched instances of Simple Food Order System 1.0.
Details
- CWE(s)