CVE-2026-5018
Published: 28 March 2026
Summary
CVE-2026-5018 is a high-severity Injection (CWE-74) vulnerability in Carmelo Simple Food Order System. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly and comprehensively mitigates the SQL injection vulnerability by requiring validation of untrusted inputs like the 'Name' argument in register-router.php before SQL processing.
Mandates identification, reporting, and correction of the specific SQL injection flaw in the Parameter Handler component of Simple Food Order System 1.0.
Facilitates detection of the remotely exploitable SQL injection vulnerability through vulnerability scanning, enabling timely remediation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in a remotely accessible web application (register-router.php) directly enables exploitation of a public-facing server-side component by unauthenticated attackers.
NVD Description
A weakness has been identified in code-projects Simple Food Order System 1.0. Affected is an unknown function of the file register-router.php of the component Parameter Handler. Executing a manipulation of the argument Name can lead to sql injection. The attack…
more
can be launched remotely. The exploit has been made available to the public and could be used for attacks.
Deeper analysisAI
CVE-2026-5018 is a SQL injection vulnerability (CWE-74, CWE-89) in code-projects Simple Food Order System 1.0. The flaw resides in an unknown function within the file register-router.php of the Parameter Handler component, where manipulation of the "Name" argument enables injection of malicious SQL code.
The vulnerability is remotely exploitable by unauthenticated attackers (AV:N/AC:L/PR:N/UI:N) with low attack complexity and no user interaction required, earning a CVSS v3.1 base score of 7.3 (C:L/I:L/A:L/S:U). Successful exploitation can result in limited impacts to confidentiality, integrity, and availability, such as unauthorized data access, modification, or disruption.
Advisories and further details are documented on VulDB (https://vuldb.com/vuln/353903), including CTI information (https://vuldb.com/vuln/353903/cti) and a submission entry (https://vuldb.com/submit/779336), as well as a GitHub issue (https://github.com/6Justdododo6/CVE/issues/16) and the project site (https://code-projects.org/). An exploit is publicly available and could be used for attacks.
Details
- CWE(s)