CVE-2026-5157 is a cross-site scripting (XSS) vulnerability identified in the code-projects Online Food Ordering System version 1.0. The vulnerability resides in the Order Module, specifically in the /form/order.php file, where the cust_id parameter is improperly sanitized or validated. This allows an attacker to inject malicious JavaScript code that executes in the context of the victim's browser when the crafted URL or input is processed. The attack vector is remote and does not require any authentication or privileges, making it accessible to unauthenticated attackers. However, user interaction is necessary to trigger the payload, such as clicking a malicious link or submitting a crafted form. The vulnerability has a CVSS 4.0 base score of 5.3, reflecting medium severity, with the vector indicating network attack vector, low attack complexity, no privileges required, and user interaction required. The impact primarily affects confidentiality and integrity at a limited level, as the injected scripts can steal session cookies, perform actions on behalf of the user, or manipulate the user interface. No patches or official fixes have been linked yet, and although no known exploits are currently active in the wild, a public exploit is available, increasing the urgency for mitigation. This vulnerability highlights the importance of proper input validation and output encoding in web applications, especially those handling sensitive transactions like food ordering.

The exploitation of CVE-2026-5157 can lead to the execution of arbitrary scripts in the browsers of users interacting with the vulnerable Online Food Ordering System. This can result in theft of session cookies, enabling account hijacking, unauthorized actions performed on behalf of users, defacement of the user interface, or redirection to malicious sites. For organizations, this can lead to loss of customer trust, potential data breaches, and reputational damage. Since the vulnerability affects an online food ordering platform, it may also disrupt business operations and customer experience. The medium severity score reflects that while the vulnerability does not directly compromise server-side systems or data, the client-side impact can cascade into broader security issues. The availability of a public exploit increases the likelihood of attempted attacks, especially targeting customers of affected businesses. Organizations relying on this software without mitigation are at risk of targeted phishing campaigns and session hijacking attacks.

To mitigate CVE-2026-5157, organizations should first seek any official patches or updates from the vendor and apply them promptly once available. In the absence of patches, implement strict input validation and output encoding on the cust_id parameter to neutralize malicious scripts. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. Use web application firewalls (WAFs) to detect and block malicious payloads targeting the vulnerable parameter. Educate users about the risks of clicking suspicious links and encourage the use of updated browsers with built-in XSS protections. Regularly audit and test the application for similar injection flaws. Additionally, consider isolating the vulnerable module or disabling the affected functionality temporarily if feasible until a fix is deployed. Monitoring logs for unusual requests targeting /form/order.php can help detect exploitation attempts early.