{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-26712", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-03-03T15:19:37.022Z", "dateReserved": "2026-02-16T00:00:00.000Z", "datePublished": "2026-03-02T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-02T19:20:05.890Z"}, "descriptions": [{"lang": "en", "value": "code-projects Simple Food Order System v1.0 is vulnerable to SQL Injection in /food/view-ticket-admin.php."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/Thirtypenny77/bug_report/blob/main/code-projects/simple-food-order-system/SQL-1.md"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-89", "lang": "en", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-03T15:19:03.796798Z", "id": "CVE-2026-26712", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-03T15:19:37.022Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-26712", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-03T15:19:03.796798Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-03T15:19:31.509Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/Thirtypenny77/bug_report/blob/main/code-projects/simple-food-order-system/SQL-1.md"}], "descriptions": [{"lang": "en", "value": "code-projects Simple Food Order System v1.0 is vulnerable to SQL Injection in /food/view-ticket-admin.php."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-02T19:20:05.890Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26712", "state": "PUBLISHED", "dateUpdated": "2026-03-03T15:19:37.022Z", "dateReserved": "2026-02-16T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-03-02T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:carmelo:simple_food_order_system:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "241FC05F-317E-46C5-B9C7-A3A53DD97B63", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "code-projects Simple Food Order System v1.0 is vulnerable to SQL Injection in /food/view-ticket-admin.php."}], "id": "CVE-2026-26712", "lastModified": "2026-03-03T16:16:21.767", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-02T20:16:26.990", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/Thirtypenny77/bug_report/blob/main/code-projects/simple-food-order-system/SQL-1.md"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-89"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "1.0"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "simple_food_order_system", "vendor": "carmelo"}], "analysis": {"en": {"generated_at": "2026-04-16T14:48:52.142538+00:00", "value": {"mitigation_remediation": ["Upgrade to a patched version of the Simple Food Order System that resolves the SQL injection in /food/view-ticket-admin.php, or apply a local patch that replaces dynamic query construction with prepared statements", "Implement strict authentication and access controls so that only authorized administrators can reach the view-ticket-admin.php endpoint", "Sanitize all user inputs rigorously and use parameterized queries to eliminate injection vectors", "Deploy a web application firewall configured to detect and block SQL injection patterns targeting this endpoint"], "summary": {"action": "Immediate Patch", "impact": "SQL Injection that allows unauthorized database access and potential data exfiltration or modification"}, "threat_synthesis": {"affected_systems": "The vulnerability exists in the Simple Food Order System library version 1.0 developed by an unnamed vendor identified as Carmelo. No other versions or vendors are listed as affected.", "description_and_impact": "The Simple Food Order System v1.0 contains a flaw in the /food/view-ticket-admin.php endpoint that permits SQL injection. This weakness\u2014classified as CWE-89\u2014allows an attacker to manipulate database queries, read confidential order data, alter records, and potentially execute arbitrary commands if the underlying database privileges are permissive. The impact is loss of confidentiality, integrity, and potentially availability of the ordering system.", "risk_and_exploitability": "The CVSS score of 9.8 marks this issue as critical, yet the Enterprise Platform Security Score (EPSS) is reported as less than 1%, indicating a very low probability of exploitation under current conditions. The vulnerability is not included in the CISA Known Exploited Vulnerabilities catalog. Based on the description, the likely attack vector is a remote web request to the mentioned endpoint, although authentication requirements are not specified. Even with low current exploitation likelihood, the high severity warrants timely mitigation."}}}}, "created": "2026-03-03T08:46:24.410384+00:00", "title": "SQL Injection in Simple Food Order System Admin Ticket View Endpoint", "updated": "2026-04-16T15:00:14.314880+00:00", "vendors": ["carmelo", "carmelo$PRODUCT$simple_food_order_system"]}