CVE-2026-1600 identifies a business logic vulnerability in the Bdtask Bhojon All-In-One Restaurant Management System, specifically in the Add-to-Cart submission endpoint located at /hungry/addtocart. The vulnerability arises from improper validation or handling of the price and allprice parameters, which are used to calculate order totals. An attacker can remotely manipulate these parameters to cause business logic errors, such as altering prices or order amounts, potentially leading to financial discrepancies or unauthorized discounts. The flaw does not require authentication or user interaction, making it easier to exploit remotely. The vulnerability was discovered in version 20260116 and earlier, with no vendor patch currently available due to lack of vendor response. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:L), no user interaction (UI:N), and partial impact on integrity (VI:L), resulting in a base score of 5.3 (medium severity). Although no known exploits in the wild have been reported, public exploit code exists, increasing the likelihood of exploitation. The vulnerability primarily threatens the integrity of transaction data, potentially causing financial loss or fraud. Since the flaw is in a critical e-commerce function of the restaurant management system, it can disrupt business operations and damage customer trust if exploited.

The primary impact of CVE-2026-1600 is on the integrity of transaction data within the affected restaurant management system. Attackers can manipulate pricing information, potentially leading to unauthorized discounts, incorrect billing, or financial losses for the business. This can also result in reputational damage and loss of customer trust if fraudulent transactions occur. While confidentiality and availability impacts are minimal, the business logic flaw can disrupt normal order processing and accounting. Organizations relying on this system for order management and payment processing are at risk of financial fraud and operational disruption. The lack of vendor response and patch availability increases exposure time, raising the risk of exploitation especially as public exploit code is accessible. The vulnerability could also be leveraged as part of larger fraud schemes or combined with other attacks to escalate impact.

Until an official patch is released by the vendor, organizations should implement the following mitigations: 1) Deploy web application firewalls (WAFs) with custom rules to detect and block suspicious manipulations of price and allprice parameters in the /hungry/addtocart endpoint. 2) Implement server-side validation and sanity checks on all price-related inputs to ensure they conform to expected ranges and formats, rejecting anomalous values. 3) Monitor transaction logs and order data for unusual pricing patterns or discrepancies that could indicate exploitation attempts. 4) Restrict access to the Add-to-Cart endpoint where possible, such as by IP whitelisting or rate limiting, to reduce exposure. 5) Educate staff to recognize and report suspicious order activity. 6) Consider temporary compensating controls such as manual review of orders with abnormal pricing until a patch is available. 7) Maintain up-to-date backups and incident response plans to quickly address any fraud or data integrity issues. 8) Engage with the vendor or community for updates and share threat intelligence to stay informed about developments.