{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4900", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-03-26T14:33:58.586Z", "datePublished": "2026-03-26T21:56:46.312Z", "dateUpdated": "2026-03-30T11:46:20.001Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-03-26T21:56:46.312Z"}, "title": "code-projects Online Food Ordering System localhost.sql privilege escalation", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-552", "lang": "en", "description": "Files or Directories Accessible"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-425", "lang": "en", "description": "Direct Request"}]}], "affected": [{"vendor": "code-projects", "product": "Online Food Ordering System", "versions": [{"version": "1.0", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "A weakness has been identified in code-projects Online Food Ordering System 1.0. This affects an unknown part of the file /dbfood/localhost.sql. This manipulation causes files or directories accessible. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. It is advisable to modify the configuration settings."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:W/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 5.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:W/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N/E:POC/RL:W/RC:UR"}}], "timeline": [{"time": "2026-03-26T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-03-26T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-03-26T15:39:05.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "AhmadMarzook (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/?id.353642", "name": "VDB-353642 | code-projects Online Food Ordering System localhost.sql privilege escalation", "tags": ["vdb-entry"]}, {"url": "https://vuldb.com/?ctiid.353642", "name": "VDB-353642 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.776980", "name": "Submit #776980 | code-projects Online Food Ordering System in PHP 1.0 Information Disclosure", "tags": ["third-party-advisory"]}, {"url": "https://github.com/ahmadmarz10-hub/CVEsMarz/blob/main/Online%20Food%20Ordering%20System%20in%20PHP%201.0%20%E2%80%93%20Sensitive%20Information%20Disclosure.md", "tags": ["exploit"]}, {"url": "https://code-projects.org/", "tags": ["product"]}], "tags": ["x_freeware"]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-30T11:46:10.674588Z", "id": "CVE-2026-4900", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T11:46:20.001Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4900", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-30T11:46:10.674588Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T11:46:16.356Z"}}], "cna": {"tags": ["x_freeware"], "title": "code-projects Online Food Ordering System localhost.sql privilege escalation", "credits": [{"lang": "en", "type": "reporter", "value": "AhmadMarzook (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:W/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:W/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N/E:POC/RL:W/RC:UR"}}], "affected": [{"vendor": "code-projects", "product": "Online Food Ordering System", "versions": [{"status": "affected", "version": "1.0"}]}], "timeline": [{"lang": "en", "time": "2026-03-26T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-03-26T01:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-03-26T15:39:05.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.353642", "name": "VDB-353642 | code-projects Online Food Ordering System localhost.sql privilege escalation", "tags": ["vdb-entry"]}, {"url": "https://vuldb.com/?ctiid.353642", "name": "VDB-353642 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.776980", "name": "Submit #776980 | code-projects Online Food Ordering System in PHP 1.0 Information Disclosure", "tags": ["third-party-advisory"]}, {"url": "https://github.com/ahmadmarz10-hub/CVEsMarz/blob/main/Online%20Food%20Ordering%20System%20in%20PHP%201.0%20%E2%80%93%20Sensitive%20Information%20Disclosure.md", "tags": ["exploit"]}, {"url": "https://code-projects.org/", "tags": ["product"]}], "descriptions": [{"lang": "en", "value": "A weakness has been identified in code-projects Online Food Ordering System 1.0. This affects an unknown part of the file /dbfood/localhost.sql. This manipulation causes files or directories accessible. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. It is advisable to modify the configuration settings."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-552", "description": "Files or Directories Accessible"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-425", "description": "Direct Request"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-03-26T21:56:46.312Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4900", "state": "PUBLISHED", "dateUpdated": "2026-03-30T11:46:20.001Z", "dateReserved": "2026-03-26T14:33:58.586Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-03-26T21:56:46.312Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A weakness has been identified in code-projects Online Food Ordering System 1.0. This affects an unknown part of the file /dbfood/localhost.sql. This manipulation causes files or directories accessible. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. It is advisable to modify the configuration settings."}, {"lang": "es", "value": "Se ha identificado una debilidad en el Sistema de Pedidos de Comida en L\u00ednea 1.0 de code-projects. Esto afecta una parte desconocida del archivo /dbfood/localhost.sql. Esta manipulaci\u00f3n provoca que los archivos o directorios sean accesibles. El ataque puede iniciarse de forma remota. El exploit se ha puesto a disposici\u00f3n del p\u00fablico y podr\u00eda usarse para ataques. Es aconsejable modificar la configuraci\u00f3n."}], "id": "CVE-2026-4900", "lastModified": "2026-04-24T16:35:20.070", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-03-26T22:16:32.153", "references": [{"source": "cna@vuldb.com", "url": "https://code-projects.org/"}, {"source": "cna@vuldb.com", "url": "https://github.com/ahmadmarz10-hub/CVEsMarz/blob/main/Online%20Food%20Ordering%20System%20in%20PHP%201.0%20%E2%80%93%20Sensitive%20Information%20Disclosure.md"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?ctiid.353642"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?id.353642"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?submit.776980"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-425"}, {"lang": "en", "value": "CWE-552"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "1.0"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "online_food_ordering_system", "vendor": "code-projects"}], "analysis": {"en": {"generated_at": "2026-03-26T23:50:48.321194+00:00", "value": {"mitigation_remediation": ["Apply any available vendor patch for Online Food Ordering System 1.0.", "Modify the application's configuration to disallow relative path traversal or enforce strict path validation for localhost.sql.", "Restrict file permissions on localhost.sql and any directories containing sensitive files so the web server process cannot read them.", "Monitor application logs for abnormal access attempts to the database configuration files."], "summary": {"action": "Patch", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Online Food Ordering System 1.0, developed by code-projects. The flaw resides in an unspecified section of the localhost.sql file, and no other vendors or product versions are listed.", "description_and_impact": "A path traversal flaw exists in the configuration file /dbfood/localhost.sql of the Online Food Ordering System. By manipulating the file path, an attacker can read an arbitrary file or directory that should normally be inaccessible. This disclosure permits the attacker to obtain sensitive configuration data or user credentials, and it potentially allows further exploitation of the system. The weakness aligns with information exposure and path traversal characteristics.", "risk_and_exploitability": "The severity score is 6.9 on the CVSS scale, indicating moderate risk, while the EPSS score is not available. It is not included in the CISA KEV catalog. The likely attack vector is remote, with an attacker able to send crafted web requests that trigger the traversal. Once exploited, the attacker can read arbitrary files, which could lead to privilege escalation or a broader compromise of the host. Publicly available exploit code has been referenced, increasing the realistic threat."}}}}, "created": "2026-03-27T08:31:33.817461+00:00", "updated": "2026-03-27T09:22:59.354869+00:00", "vendors": ["code-projects", "code-projects$PRODUCT$online_food_ordering_system"]}