Medium severity4.3NVD Advisory· Published Mar 31, 2026· Updated Apr 29, 2026

CVE-2026-5157

Description

A vulnerability was identified in code-projects Online Food Ordering System 1.0. Affected is an unknown function of the file /form/order.php of the component Order Module. Such manipulation of the argument cust_id leads to cross site scripting. The attack may be performed from remote. The exploit is publicly available and might be used.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Reflected XSS in Online Food Ordering System 1.0 via unsanitized cust_id parameter in order.php allows remote attackers to execute arbitrary JavaScript.

Vulnerability

Analysis

A reflected cross-site scripting (XSS) vulnerability exists in code-projects Online Food Ordering System 1.0. The issue is located in the Order module's file /form/order.php. The application fails to properly sanitize the cust_id parameter supplied via HTTP GET requests before reflecting it in the HTML response [1].

Exploitation

The attack is performed remotely via crafted URLs containing malicious JavaScript payloads. No authentication is required to exploit the vulnerability, making it accessible to any remote attacker. The exploit is publicly available, reducing the barrier for exploitation [1].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript code within the victim's browser context. Potential consequences include theft of session cookies, hijacking of authenticated sessions, redirection to malicious websites, injection of malicious content, and harvesting of user credentials [1].

Mitigation

The vulnerability affects version 1.0 of the product, hosted on code-projects.org [1][2]. As of the publication date, no official patch has been released. Users should sanitize and encode all user-supplied input in the cust_id parameter before rendering, or implement a web application firewall (WAF) rule to block malicious payloads until an update is provided.

References

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Code Projects/Food Ordering Systemllm-fuzzy
Range: = 1.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

Severity

MediumCVSS v3.1

4.3/ 10

CVSS v42.1

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack vector: Network
Complexity: Low
Privileges: None
User interaction: Required
Scope: Unchanged
Confidentiality: None
Integrity: Low
Availability: None

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

EPSS

Probability of exploitation in the next 30 days.

0.01%

VYPR risk score

Composite of severity, exploitation, and reach.

0.28low

cvss	0.280
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000

Weaknesses

CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-94
Improper Control of Generation of Code ('Code Injection')

CVE ID

CVE-2026-5157

Credits

AT
Abhiram T (VulDB User)
reporter