CVE-2026-13498
HighCVSS 7.3Exploitation Probability (EPSS)
Low risk19th percentile — higher than 19% of all known CVEs
Summary
SQL Injection vulnerability in yashpokharna2555 restaurant-management-system. An attacker can remotely manipulate the 'email' argument in /forgotpassword.php, leading to SQL injection. Exploit is publicly available.
Risk Assessment
Risk includes unauthorized database access, customer data leakage, and potential system takeover. Lack of vendor response increases exploitation risk.
Recommendation
Immediately disable or secure the /forgotpassword.php endpoint by validating input and using prepared statements. Consider temporarily disabling the system until a patch is released.
Original NVD description (English source)
A vulnerability was identified in yashpokharna2555 restaurent-management-system. This affects an unknown function of the file /forgotpassword.php of the component POST Parameter Handler. Such manipulation of the argument email leads to sql injection. The attack can be launched remotely. The exploit is publicly available and might be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The project was informed of the problem early through an issue report but has not responded yet.

