Skip to main content
CVE Vulnerability Database

CVE-2026-5811: Food Ordering System Logic Error Flaw

CVE-2026-5811 is a business logic error in SourceCodester Online Food Ordering System 1.0 affecting the save_product function. Attackers can manipulate price parameters remotely. This article covers technical details, impact, and mitigations.

Published:

CVE-2026-5811 Overview

A business logic vulnerability has been identified in SourceCodester Online Food Ordering System version 1.0. The vulnerability exists in the save_product function within the /Actions.php file, which is part of the POST Parameter Handler component. Improper validation of the price argument allows attackers to manipulate product pricing through negative values, leading to significant business logic errors that can be exploited for financial fraud.

Critical Impact

Attackers can remotely exploit this vulnerability to manipulate product prices, potentially setting negative values that could result in financial losses, inventory manipulation, or unauthorized credits during checkout processes.

Affected Products

  • SourceCodester Online Food Ordering System 1.0
  • POST Parameter Handler component (/Actions.php)
  • save_product function

Discovery Timeline

  • 2026-04-08 - CVE-2026-5811 published to NVD
  • 2026-04-08 - Last updated in NVD database

Technical Details for CVE-2026-5811

Vulnerability Analysis

This vulnerability represents a classic business logic flaw (CWE-840) where the application fails to properly validate business-critical input parameters. The save_product function in /Actions.php accepts the price parameter without enforcing proper business rules, allowing authenticated users to submit negative or otherwise invalid price values.

The vulnerability is particularly concerning because it affects a core business function—product pricing—in an e-commerce application. When exploited, attackers can create products with negative prices, which could result in credits being applied to customer accounts during checkout, effectively stealing money from the business.

Root Cause

The root cause of this vulnerability is insufficient input validation in the save_product function. The application fails to implement proper business logic constraints that would prevent:

  • Negative price values
  • Zero-value prices for non-free items
  • Prices outside acceptable business ranges

The developer relied solely on client-side validation or omitted price validation entirely, assuming that only legitimate positive values would be submitted through the normal user interface.

Attack Vector

The attack is network-based and can be performed remotely by any authenticated user with access to product management functionality. An attacker would:

  1. Authenticate to the Online Food Ordering System with valid credentials
  2. Intercept or craft a POST request to /Actions.php targeting the save_product function
  3. Modify the price parameter to include a negative value
  4. Submit the malicious request, bypassing any client-side validation
  5. The server processes the request without proper validation, storing the invalid price

The vulnerability requires low privileges (authenticated user access) and no user interaction, making it relatively straightforward to exploit. A proof-of-concept demonstrating this negative pricing attack is available in the GitHub PoC for Negative Pricing repository.

Detection Methods for CVE-2026-5811

Indicators of Compromise

  • Products in the database with negative or zero price values
  • Unusual transaction records showing credits instead of charges
  • POST requests to /Actions.php containing negative values in the price parameter
  • Abnormal order totals or refund patterns in financial logs

Detection Strategies

  • Implement web application firewall (WAF) rules to detect and block POST requests containing negative numeric values in price-related parameters
  • Deploy application-layer monitoring to flag any product modifications with prices below acceptable thresholds
  • Configure database integrity checks to alert on products with invalid pricing data
  • Enable detailed logging for all product management operations and review for anomalous patterns

Monitoring Recommendations

  • Monitor /Actions.php endpoint for unusual request patterns or parameter manipulation attempts
  • Set up alerts for products created or modified with prices outside normal business ranges
  • Review transaction logs regularly for orders with negative totals or unexpected credits
  • Implement real-time monitoring of product catalog changes with automated validation checks

How to Mitigate CVE-2026-5811

Immediate Actions Required

  • Audit all existing product records in the database for negative or zero prices and correct any anomalies
  • Implement server-side validation for the price parameter in the save_product function immediately
  • Review recent product modifications and transactions for signs of exploitation
  • Restrict access to product management functionality to trusted administrators only

Patch Information

As of the last NVD update on 2026-04-08, no official patch has been released by SourceCodester. Organizations using this software should implement the workarounds below and monitor SourceCodester Security Resources for security updates. Additional vulnerability details are available at VulDB Vulnerability #356259.

Workarounds

  • Add server-side validation in /Actions.php to reject price values that are negative, zero, or exceed reasonable maximum thresholds
  • Implement database-level constraints to prevent negative values in price columns
  • Deploy a WAF rule to filter POST requests to /Actions.php that contain negative numeric values
  • Consider implementing a review/approval workflow for product price changes

The following example demonstrates implementing basic price validation in the affected PHP file:

php
# Server-side price validation for save_product function
# Add to /Actions.php before processing the price parameter

$price = floatval($_POST['price']);

# Validate price is positive and within reasonable bounds
if ($price <= 0 || $price > 99999.99) {
    die(json_encode(['error' => 'Invalid price value']));
}

# Additional sanitization before database insertion
$price = number_format($price, 2, '.', '');

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.