CVE-2026-5018: SQL Injection in Simple Food Order System Registration Handler
A SQL injection vulnerability tracked as CVE-2026-5018 has been disclosed in code-projects Simple Food Order System 1.0. The flaw exists in the /register-router.php file, where the Name parameter is passed directly into a SQL query without sanitization. This is remotely exploitable and rated CVSS v3.1 7.3 (High) under CWE-89.
Unlike many SQL injection vulnerabilities limited to authenticated admin paths, this flaw resides in the registration flow — a publicly accessible endpoint — which significantly increases the attack surface and ease of exploitation.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-5018 |
| CVSS Score | 7.3 (High) |
| CWE Classification | CWE-89 — SQL Injection |
| Affected Software | code-projects Simple Food Order System 1.0 |
| Vulnerable File | /register-router.php |
| Vulnerable Parameter | Name |
| Attack Vector | Network (Remote) |
| Authentication Required | None (unauthenticated endpoint) |
| Exploit Published | Yes — public exploit available |
| Patch Available | None confirmed |
Technical Details
Affected Component
The vulnerability exists in the user registration module. The /register-router.php file accepts a Name POST parameter and constructs a SQL INSERT or SELECT query by directly concatenating the user-supplied value — no prepared statements or input escaping is applied.
Exploitation Mechanism
An attacker can send a crafted registration request with a malicious Name value:
POST /register-router.php
Name=attacker' OR '1'='1
Name=attacker'; DROP TABLE users;--
Name=attacker' UNION SELECT username,password,NULL FROM admin--
Because the registration endpoint is typically unauthenticated, this vulnerability is exploitable without any prior account access. Potential impacts include:
- Unauthenticated database access — no login required to exploit
- Full data extraction — all database tables exposed via UNION injection
- Account creation bypass — injection could manipulate registration logic
- Credential theft — admin and customer passwords extractable from the database
- Destructive queries — DROP TABLE and truncation attacks possible depending on DB permissions
Attack Flow
1. Attacker identifies a publicly accessible Simple Food Order System instance
2. Attacker submits registration form with injected Name parameter
3. Unsanitized Name value is embedded in SQL query on the server
4. SQL engine executes the injected query against the backend database
5. Attacker retrieves query results or manipulates database state
6. Full database contents — including admin credentials — become accessible
Affected Software Context
code-projects is a widely used repository of PHP web applications distributed for educational purposes. The Simple Food Order System 1.0 is among their more commonly deployed applications. The registration endpoint being vulnerable is particularly concerning: it exposes the SQL injection to any unauthenticated visitor, requiring no privileges to exploit.
This follows a pattern seen across multiple code-projects releases where registration and login handlers directly concatenate user input into database queries, a fundamental PHP security anti-pattern that has been well-understood for over two decades.
Remediation
Immediate Steps
- Take the registration endpoint offline if internet-accessible — disable or restrict
/register-router.phpuntil patched - Deploy WAF rules targeting SQL injection patterns in POST body parameters
- Implement prepared statements — this is a code-level fix, not configurable at runtime
- Audit existing user accounts — injected registrations may have created unauthorized accounts
- Rotate all credentials — database passwords and application secrets should be considered compromised
Code-Level Fix
// Vulnerable pattern
$query = "INSERT INTO users (name) VALUES ('" . $_POST['Name'] . "')";
// Secure pattern (PDO prepared statement)
$stmt = $pdo->prepare("INSERT INTO users (name) VALUES (?)");
$stmt->execute([$_POST['Name']]);Impact Assessment
| Impact Area | Description |
|---|---|
| Unauthenticated Access | Registration endpoint requires no login — exploit requires no credentials |
| Data Exposure | Full database readable via UNION injection |
| Account Manipulation | Registration logic can be bypassed or manipulated |
| Credential Theft | All stored usernames and passwords extractable |
| Data Destruction | Depending on DB permissions, DROP/TRUNCATE attacks possible |
Key Takeaways
- CVE-2026-5018 is a CVSS 7.3 SQL injection in code-projects Simple Food Order System 1.0, in the unauthenticated registration handler
- The Name POST parameter in
/register-router.phpis not sanitized, enabling remote database access with no credentials required - Public exploit available — exploitation requires minimal attacker skill
- No official patch — immediate restriction of the registration endpoint is essential
- Registration endpoints are high-value SQLi targets due to their unauthenticated, public-facing nature