CVE-2026-4898

Vulnerability

Overview

The Online Food Ordering System 1.0 by code-projects contains a stored cross-site scripting (XSS) vulnerability in the /dbfood/contact.php endpoint. The application fails to properly sanitize or encode user-supplied input in the Name parameter before storing it in the backend database and later rendering it within administrative or other application views [1]. This is a classic case of CWE-79 – Improper Neutralization of Input During Web Page Generation [1].

Exploitation

An attacker can exploit this vulnerability remotely without authentication by submitting a crafted payload in the Name field of the contact form. For example, the payload <details/open/ontoggle=prompt(origin)> can be injected. Because the input is stored and later displayed without sanitization, the injected script executes automatically whenever the stored contact message is viewed by an administrator or other user [1]. The exploit is publicly available, lowering the barrier for attackers [1].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser session. This can lead to session hijacking, theft of authentication cookies, unauthorized actions performed on behalf of authenticated users, or injection of malicious content into the application interface [1]. The severity is rated Medium (CVSS 4.3) due to the need for user interaction (viewing the stored message) and the potential for significant impact on confidentiality and integrity.

Mitigation

As of the publication date (2026-03-26), no patch has been released by the vendor. The vendor's website [2] lists the project but does not indicate an updated version. Users should apply input validation and output encoding to the Name parameter and consider restricting access to administrative views of contact submissions until a fix is available.