{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5811", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-04-08T15:20:12.893Z", "datePublished": "2026-04-08T22:15:13.008Z", "dateUpdated": "2026-04-09T13:18:59.568Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-08T22:15:13.008Z"}, "title": "SourceCodester Online Food Ordering System POST Parameter Actions.php save_product logic error", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-840", "lang": "en", "description": "Business Logic Errors"}]}], "affected": [{"vendor": "SourceCodester", "product": "Online Food Ordering System", "versions": [{"version": "1.0", "status": "affected"}], "modules": ["POST Parameter Handler"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was identified in SourceCodester Online Food Ordering System 1.0. Affected by this issue is the function save_product of the file /Actions.php of the component POST Parameter Handler. Such manipulation of the argument price leads to business logic errors. The attack may be performed from remote. The exploit is publicly available and might be used."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 5.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 5.4, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 5.5, "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-04-08T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-04-08T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-04-08T17:25:17.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "FuKun (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/vuln/356259", "name": "VDB-356259 | SourceCodester Online Food Ordering System POST Parameter Actions.php save_product logic error", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/356259/cti", "name": "VDB-356259 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/787678", "name": "Submit #787678 | SourceCodester Online Food Ordering System 1.0 Business Logic Errors", "tags": ["third-party-advisory"]}, {"url": "https://github.com/meifukun/Web-Security-PoCs/blob/main/Online-Food-Ordering-System/BusinessLogic-Product-NegativePrice.md", "tags": ["exploit"]}, {"url": "https://www.sourcecodester.com/", "tags": ["product"]}], "tags": ["x_freeware"]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-09T13:18:49.975627Z", "id": "CVE-2026-5811", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T13:18:59.568Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-5811", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-09T13:18:49.975627Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T13:18:54.779Z"}}], "cna": {"tags": ["x_freeware"], "title": "SourceCodester Online Food Ordering System POST Parameter Actions.php save_product logic error", "credits": [{"lang": "en", "type": "reporter", "value": "FuKun (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 5.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 5.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 5.5, "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "affected": [{"vendor": "SourceCodester", "modules": ["POST Parameter Handler"], "product": "Online Food Ordering System", "versions": [{"status": "affected", "version": "1.0"}]}], "timeline": [{"lang": "en", "time": "2026-04-08T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-04-08T02:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-04-08T17:25:17.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/vuln/356259", "name": "VDB-356259 | SourceCodester Online Food Ordering System POST Parameter Actions.php save_product logic error", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/356259/cti", "name": "VDB-356259 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/787678", "name": "Submit #787678 | SourceCodester Online Food Ordering System 1.0 Business Logic Errors", "tags": ["third-party-advisory"]}, {"url": "https://github.com/meifukun/Web-Security-PoCs/blob/main/Online-Food-Ordering-System/BusinessLogic-Product-NegativePrice.md", "tags": ["exploit"]}, {"url": "https://www.sourcecodester.com/", "tags": ["product"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was identified in SourceCodester Online Food Ordering System 1.0. Affected by this issue is the function save_product of the file /Actions.php of the component POST Parameter Handler. Such manipulation of the argument price leads to business logic errors. The attack may be performed from remote. The exploit is publicly available and might be used."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-840", "description": "Business Logic Errors"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-08T22:15:13.008Z"}}}, "cveMetadata": {"cveId": "CVE-2026-5811", "state": "PUBLISHED", "dateUpdated": "2026-04-09T13:18:59.568Z", "dateReserved": "2026-04-08T15:20:12.893Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-04-08T22:15:13.008Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was identified in SourceCodester Online Food Ordering System 1.0. Affected by this issue is the function save_product of the file /Actions.php of the component POST Parameter Handler. Such manipulation of the argument price leads to business logic errors. The attack may be performed from remote. The exploit is publicly available and might be used."}], "id": "CVE-2026-5811", "lastModified": "2026-04-08T23:17:00.390", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 5.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-04-08T23:17:00.390", "references": [{"source": "cna@vuldb.com", "url": "https://github.com/meifukun/Web-Security-PoCs/blob/main/Online-Food-Ordering-System/BusinessLogic-Product-NegativePrice.md"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/787678"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/356259"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/356259/cti"}, {"source": "cna@vuldb.com", "url": "https://www.sourcecodester.com/"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-840"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "1.0"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "online_food_ordering_system", "vendor": "sourcecodester"}], "analysis": {"en": {"generated_at": "2026-04-08T23:25:13.674606+00:00", "value": {"mitigation_remediation": ["Apply any vendor\u2011supplied update or patch for the Online Food Ordering System that addresses the price validation flaw.", "If no update is available, investigate the source code and amend the price validation logic in Actions.php to reject negative or non\u2011numeric values.", "Deploy a web application firewall rule that blocks POST requests setting product price to negative values.", "Audit transaction logs and inventory data for anomalous pricing patterns that may indicate exploitation."], "summary": {"action": "Patch", "impact": "Business Logic Manipulation"}, "threat_synthesis": {"affected_systems": "SourceCodester Online Food Ordering System, version 1.0. The issue pertains specifically to the Actions.php component handling POST parameters.", "description_and_impact": "The vulnerability resides in the save_product function of SourceCodester's Online Food Ordering System, allowing an attacker to alter the POST parameter price. This manipulation bypasses the intended business logic, potentially enabling negative or invalid prices that can lead to revenue loss, inventory mismanagement, or fraudulent orders. The exploit is remote and publicly available, providing an attacker the ability to send crafted requests to the web application without any special authentication or local access.", "risk_and_exploitability": "With a CVSS score of 5.3, the vulnerability presents moderate severity. No EPSS score data is available, and the issue is not listed in the CISA KEV catalog, indicating that the likelihood of widespread exploitation is uncertain. The attack vector is remote, relying on the ability to send crafted POST requests to the involved endpoint. Because the exploit code is publicly available, operational security teams should treat this as a potential risk for systems that remain unpatched or misconfigured."}}}}, "created": "2026-04-09T08:16:19.552827+00:00", "updated": "2026-04-09T08:25:45.582200+00:00", "vendors": ["sourcecodester", "sourcecodester$PRODUCT$online_food_ordering_system"]}