CVE-2026-5811

Vulnerability

Overview

CVE-2026-5811 is a business logic vulnerability in SourceCodester Online Food Ordering System 1.0. The issue resides in the save_product function within /Actions.php, where the price parameter is not validated on the server side. This allows an administrator to set a product's price to a negative value (e.g., -10.99) via a crafted POST request [1].

Exploitation

An attacker with administrative access can exploit this flaw by sending a POST request to Actions.php?a=save_product with the price field set to a negative number. The application accepts the value without checking that it must be a positive number, and the negative price is stored in the database [1]. The attack is remote and does not require authentication beyond a valid admin session.

Impact

If a customer purchases a product with a negative price, the system may deduct the amount from the total bill instead of adding it, leading to financial discrepancies and billing errors. This corrupts the financial logic of the application and could result in incorrect order totals or revenue loss [1].

Mitigation

As of the publication date, no patch has been released by SourceCodester. The vendor's website [2] does not mention an update for this issue. Administrators should implement server-side validation to ensure the price parameter is a positive number. Given that a public exploit exists, this vulnerability may be added to CISA's Known Exploited Vulnerabilities (KEV) catalog in the future.