CVE-2026-4899

Vulnerability

Overview

A stored cross-site scripting (XSS) vulnerability exists in code-projects Online Food Ordering System 1.0. The flaw resides in the /dbfood.php endpoint, specifically within the cuisines` parameter used when adding new food items. The application fails to properly sanitize or encode user-controlled input before storing it in the database and later rendering it in the web interface [1]. This is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) [1].

Exploitation

An attacker can exploit this vulnerability remotely without authentication by injecting malicious JavaScript code into the cuisines field during the food creation process. For example, a payload such as <details/open/ontoggle=prompt(origin)> can be submitted. Because the input is stored and later displayed without proper output encoding, the payload executes automatically whenever the stored food item is viewed [1]. The exploit has been publicly released, increasing the risk of active attacks [1].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript within the context of the application. This can lead to session hijacking, cookie theft, unauthorized actions performed on behalf of an administrator, or injection of malicious content into the application interface [1]. The CVSS v3 base score is 2.4 (Low), reflecting the need for an authenticated session to reach the vulnerable functionality in some interpretations, though the reference notes the attack can be launched remotely [1].

Mitigation

As of the publication date (2026-03-26), no official patch has been released by the vendor. The affected version is 1.0, and the vendor URL for the project is provided by code-projects [2]. Users should apply input validation and output encoding for the cuisines parameter, or consider migrating to a maintained alternative if available. The vulnerability is not currently listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.