CVE-2026-5157 Overview
CVE-2026-5157 is a reflected cross-site scripting (XSS) vulnerability in code-projects Online Food Ordering System 1.0. The flaw resides in the Order Module, specifically in the /form/order.php script. The cust_id parameter is reflected into the response without proper sanitization or output encoding, allowing attackers to inject arbitrary script content. The issue is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). A public proof-of-concept exploit is available, lowering the barrier to exploitation.
Critical Impact
Remote attackers can deliver crafted links that execute attacker-controlled JavaScript in a victim's browser session, enabling session theft, phishing overlays, and client-side action hijacking within the Order Module.
Affected Products
- code-projects Online Food Ordering System 1.0
- Order Module component (/form/order.php)
- Deployments exposing the cust_id request parameter
Discovery Timeline
- 2026-03-31 - CVE-2026-5157 published to NVD
- 2026-04-29 - Last updated in NVD database
Technical Details for CVE-2026-5157
Vulnerability Analysis
The vulnerability affects the Order Module of code-projects Online Food Ordering System 1.0. The /form/order.php endpoint accepts the cust_id parameter from the request and reflects its value back into the rendered HTML response. Because the application does not neutralize HTML control characters or apply context-aware output encoding, an attacker can inject a payload containing <script> tags or HTML event handlers.
The attack requires user interaction. A victim must click a crafted link or load an attacker-controlled page that issues the request. Once the payload renders, it executes in the browser under the origin of the vulnerable application, granting access to cookies, DOM contents, and authenticated actions tied to the Order Module.
The EPSS probability is 0.013%, indicating low observed exploitation activity, but a public proof-of-concept is hosted as a GitHub Gist and indexed by VulDB.
Root Cause
The root cause is missing input validation and output encoding on the cust_id parameter handled by /form/order.php. The application concatenates user-supplied data directly into HTML output without applying functions such as htmlspecialchars() with the ENT_QUOTES flag. This violates the principle of contextual output escaping required to prevent [CWE-79] in PHP web applications.
Attack Vector
The attack vector is network-based and requires user interaction. An attacker crafts a URL targeting /form/order.php with a malicious cust_id value containing JavaScript. The attacker delivers the link through phishing, chat, or a third-party site. When the victim loads the URL, the injected script executes in the browser, with access to any session state held by the Online Food Ordering System.
No verified exploit code is reproduced here. The publicly available proof-of-concept can be reviewed in the GitHub Gist PoC and the corresponding VulDB Vulnerability #354189 entry.
Detection Methods for CVE-2026-5157
Indicators of Compromise
- HTTP requests to /form/order.php containing cust_id values with <, >, script, onerror, onload, or URL-encoded equivalents such as %3Cscript%3E.
- Referer headers pointing to external domains followed by anomalous JavaScript execution in browser telemetry.
- Outbound browser requests to attacker-controlled domains immediately following a visit to /form/order.php.
Detection Strategies
- Inspect web server access logs for GET or POST requests to /form/order.php where cust_id contains HTML or JavaScript metacharacters.
- Deploy a web application firewall (WAF) rule that blocks reflected XSS payload patterns on the cust_id parameter.
- Use Content Security Policy (CSP) violation reports to identify injected inline scripts originating from the Order Module.
Monitoring Recommendations
- Alert on repeated 200 OK responses to /form/order.php requests carrying encoded angle brackets or javascript: schemes.
- Correlate browser-side script errors with prior visits to the application to identify successful payload delivery.
- Track click-through telemetry on emailed or chat-delivered links containing order.php?cust_id=.
How to Mitigate CVE-2026-5157
Immediate Actions Required
- Restrict public exposure of /form/order.php until a vendor patch is applied or a virtual patch is deployed at the WAF layer.
- Apply input validation that rejects non-numeric or non-expected character classes for the cust_id parameter.
- Enforce a strict Content Security Policy that disallows inline scripts and unauthorized script sources.
Patch Information
No vendor advisory or official patch from code-projects has been published in the referenced sources at the time of NVD publication. Refer to the Code Projects Resource Hub and the VulDB Vulnerability #354189 entry for updates. Operators should plan to apply HTML output encoding to all reflected parameters in /form/order.php.
Workarounds
- Wrap reflected cust_id output in htmlspecialchars($value, ENT_QUOTES, 'UTF-8') before rendering.
- Configure a WAF rule that blocks requests where cust_id contains <, >, ", ', or javascript: substrings, including URL-encoded variants.
- Set the HttpOnly and SameSite=Strict flags on session cookies to limit damage from successful script execution.
# Example Apache mod_security rule blocking XSS payloads on cust_id
SecRule ARGS:cust_id "@rx (?i)(<script|onerror=|onload=|javascript:|%3Cscript)" \
"id:1005157,phase:2,deny,status:403,\
msg:'CVE-2026-5157 XSS attempt on cust_id parameter',\
tag:'CWE-79',tag:'attack-xss'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
