CVE-2026-5019: SQL Injection in code-projects Simple Food Order System (Orders)

CVE-2026-5019: SQL Injection in Simple Food Order System Orders Module

A SQL injection vulnerability tracked as CVE-2026-5019 has been disclosed in code-projects Simple Food Order System 1.0. The flaw resides in the /all-orders.php endpoint, where the Status parameter is passed directly into a SQL query without validation. The vulnerability is remotely initiatable and carries a CVSS v3.1 score of 7.3 (High), classified under CWE-89.

This is the third SQL injection CVE disclosed in the same application within a 24-hour window (alongside CVE-2026-5017 and CVE-2026-5018), underscoring a systemic lack of input validation throughout the code-projects Simple Food Order System codebase.

Vulnerability Overview

Attribute	Value
CVE ID	CVE-2026-5019
CVSS Score	7.3 (High)
CWE Classification	CWE-89 — SQL Injection
Affected Software	code-projects Simple Food Order System 1.0
Vulnerable File	`/all-orders.php`
Vulnerable Parameter	`Status`
Attack Vector	Network (Remote)
Authentication Required	Low
Exploit Published	Yes — public exploit available
Patch Available	None confirmed

Technical Details

Affected Component

The vulnerability is in the order management module. The /all-orders.php endpoint accepts a Status parameter to filter orders by their fulfilment state (e.g., pending, completed, cancelled). This parameter is directly concatenated into a SQL query string without escaping or use of prepared statements.

Exploitation Mechanism

An attacker can manipulate the Status parameter to inject arbitrary SQL:

/all-orders.php?Status=1' OR '1'='1
/all-orders.php?Status=pending' UNION SELECT username,password,email,NULL FROM users--
/all-orders.php?Status=1'; UPDATE orders SET status='cancelled' WHERE '1'='1--

Potential exploitation outcomes include:

Full order database dump — all order history, customer details, and fulfilment records
Customer PII exposure — names, addresses, phone numbers associated with orders
Inventory and pricing data — menu items, pricing structures, and stock levels
Credential extraction — admin usernames and passwords from the users table
Data manipulation — order status, pricing, and records can be modified or deleted

Attack Flow

1. Attacker discovers an internet-facing Simple Food Order System deployment

2. Attacker crafts a malicious Status parameter value targeting /all-orders.php

3. Server embeds the unsanitized value into a SQL query and executes it

4. Injected SQL returns database contents or modifies records as directed

5. Customer PII, order data, and admin credentials are exfiltrated

6. Attacker leverages extracted credentials for further access or sells data

Relationship to CVE-2026-5017 and CVE-2026-5018

This vulnerability was disclosed alongside two others affecting the same application:

CVE	Affected File	Parameter
CVE-2026-5017	`/all-tickets.php`	`Status`
CVE-2026-5018	`/register-router.php`	`Name`
CVE-2026-5019	`/all-orders.php`	`Status`

The simultaneous disclosure of three SQL injection flaws in a single application version strongly suggests that the entire codebase was built without parameterized queries — any endpoint accepting user input should be treated as potentially vulnerable until a full audit is completed.

Remediation

Immediate Steps

Restrict the orders endpoint — Block /all-orders.php from public internet access
Deploy WAF rules — Enable SQL injection detection on all PHP endpoints
Audit the entire codebase — Given the pattern of three SQLi CVEs, every file with $_GET or $_POST usage should be reviewed
Implement prepared statements throughout the application — PDO is the recommended approach
Rotate all credentials — Treat all stored passwords as potentially compromised

Code-Level Fix

// Vulnerable pattern
$query = "SELECT * FROM orders WHERE Status = '" . $_GET['Status'] . "'";
 
// Secure pattern (PDO prepared statement)
$stmt = $pdo->prepare("SELECT * FROM orders WHERE Status = ?");
$stmt->execute([$_GET['Status']]);

Impact Assessment

Impact Area	Description
Order Data Exposure	Full order history and customer details accessible
Customer PII	Names, addresses, and contact info tied to orders at risk
Credential Theft	Admin passwords extractable from the database
Data Manipulation	Orders can be modified, cancelled, or deleted via UPDATE/DELETE injection
Systemic Risk	Three SQLi CVEs in same version suggest broader codebase vulnerability

Key Takeaways

CVE-2026-5019 is a CVSS 7.3 SQL injection in code-projects Simple Food Order System 1.0, in the orders listing module
The Status parameter in /all-orders.php is unsanitized, enabling database manipulation from remote attackers
This is the third SQL injection CVE disclosed in this application within 24 hours — the entire codebase should be considered unsafe for production
No official patch — restrict internet access to the application immediately
Operators should perform a full SQL audit of all PHP files in the project before any further use

Sources

CVE-2026-5019 — NIST NVD

CVE-2026-5019: SQL Injection in Simple Food Order System Orders Module

Vulnerability Overview

Attribute	Value
CVE ID	CVE-2026-5019
CVSS Score	7.3 (High)
CWE Classification	CWE-89 — SQL Injection
Affected Software	code-projects Simple Food Order System 1.0
Vulnerable File	`/all-orders.php`
Vulnerable Parameter	`Status`
Attack Vector	Network (Remote)
Authentication Required	Low
Exploit Published	Yes — public exploit available
Patch Available	None confirmed

Technical Details

Affected Component

Exploitation Mechanism

An attacker can manipulate the Status parameter to inject arbitrary SQL:

/all-orders.php?Status=1' OR '1'='1
/all-orders.php?Status=pending' UNION SELECT username,password,email,NULL FROM users--
/all-orders.php?Status=1'; UPDATE orders SET status='cancelled' WHERE '1'='1--

Potential exploitation outcomes include:

Full order database dump — all order history, customer details, and fulfilment records
Customer PII exposure — names, addresses, phone numbers associated with orders
Inventory and pricing data — menu items, pricing structures, and stock levels
Credential extraction — admin usernames and passwords from the users table
Data manipulation — order status, pricing, and records can be modified or deleted

Attack Flow

1. Attacker discovers an internet-facing Simple Food Order System deployment

2. Attacker crafts a malicious Status parameter value targeting /all-orders.php

3. Server embeds the unsanitized value into a SQL query and executes it

4. Injected SQL returns database contents or modifies records as directed

5. Customer PII, order data, and admin credentials are exfiltrated

6. Attacker leverages extracted credentials for further access or sells data

Relationship to CVE-2026-5017 and CVE-2026-5018

This vulnerability was disclosed alongside two others affecting the same application:

CVE	Affected File	Parameter
CVE-2026-5017	`/all-tickets.php`	`Status`
CVE-2026-5018	`/register-router.php`	`Name`
CVE-2026-5019	`/all-orders.php`	`Status`

Remediation

Immediate Steps

Restrict the orders endpoint — Block /all-orders.php from public internet access
Deploy WAF rules — Enable SQL injection detection on all PHP endpoints
Audit the entire codebase — Given the pattern of three SQLi CVEs, every file with $_GET or $_POST usage should be reviewed
Implement prepared statements throughout the application — PDO is the recommended approach
Rotate all credentials — Treat all stored passwords as potentially compromised

Code-Level Fix

// Vulnerable pattern
$query = "SELECT * FROM orders WHERE Status = '" . $_GET['Status'] . "'";
 
// Secure pattern (PDO prepared statement)
$stmt = $pdo->prepare("SELECT * FROM orders WHERE Status = ?");
$stmt->execute([$_GET['Status']]);

Impact Assessment

Impact Area	Description
Order Data Exposure	Full order history and customer details accessible
Customer PII	Names, addresses, and contact info tied to orders at risk
Credential Theft	Admin passwords extractable from the database
Data Manipulation	Orders can be modified, cancelled, or deleted via UPDATE/DELETE injection
Systemic Risk	Three SQLi CVEs in same version suggest broader codebase vulnerability

Key Takeaways

CVE-2026-5019 is a CVSS 7.3 SQL injection in code-projects Simple Food Order System 1.0, in the orders listing module
The Status parameter in /all-orders.php is unsanitized, enabling database manipulation from remote attackers
This is the third SQL injection CVE disclosed in this application within 24 hours — the entire codebase should be considered unsafe for production
No official patch — restrict internet access to the application immediately
Operators should perform a full SQL audit of all PHP files in the project before any further use

Sources

CVE-2026-5019 — NIST NVD

CVE-2026-5019: SQL Injection in code-projects Simple Food Order System (Orders)

Affected Products

CVE-2026-5019: SQL Injection in Simple Food Order System Orders Module

Vulnerability Overview

Technical Details

Affected Component

Exploitation Mechanism

Attack Flow

Relationship to CVE-2026-5017 and CVE-2026-5018

Remediation

Immediate Steps

Code-Level Fix

Impact Assessment

Key Takeaways

Sources

CVE-2026-5017: SQL Injection in code-projects Simple Food Order System (Tickets)

CVE-2026-5018: SQL Injection in code-projects Simple Food Order System (Register)

CVE-2026-5033: SQL Injection in code-projects Accounting System (Customer View)

CVE-2026-5019: SQL Injection in code-projects Simple Food Order System (Orders)

Affected Products

CVE-2026-5019: SQL Injection in Simple Food Order System Orders Module

Vulnerability Overview

Technical Details

Affected Component

Exploitation Mechanism

Attack Flow

Relationship to CVE-2026-5017 and CVE-2026-5018

Remediation

Immediate Steps

Code-Level Fix

Impact Assessment

Key Takeaways

Sources

CVE-2026-5017: SQL Injection in code-projects Simple Food Order System (Tickets)

CVE-2026-5018: SQL Injection in code-projects Simple Food Order System (Register)

CVE-2026-5033: SQL Injection in code-projects Accounting System (Customer View)