CVE-2026-1599 – This vulnerability in Bdtask Bhojon Restaurant ... (How to Fix)

Q: What is the severity of CVE-2026-1599?

CVE-2026-1599 has a CVSS score of 4.3 (MEDIUM). This vulnerability in Bdtask Bhojon Restaurant Management System allows attackers to manipulate checkout parameters (orggrandTotal/vat/service_charge/grandtotal) remotely, potentially causing business logic errors that could affect pricing calculations or order processing. It affects all systems running versions up to January 16, 2026. The vulnerability is publicly disclosed and exploitable without authentication.

📋 TL;DR

This vulnerability in Bdtask Bhojon Restaurant Management System allows attackers to manipulate checkout parameters (orggrandTotal/vat/service_charge/grandtotal) remotely, potentially causing business logic errors that could affect pricing calculations or order processing. It affects all systems running versions up to January 16, 2026. The vulnerability is publicly disclosed and exploitable without authentication.

💻 Affected Systems

Products:

Bdtask Bhojon All-In-One Restaurant Management System

Versions: All versions up to and including 20260116

Operating Systems: Any OS running the web application

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the /hungry/placeorder endpoint in the Checkout component. Any installation with this endpoint accessible is vulnerable.

📦 What is this software?

Bhojon by Bdtask

View all CVEs affecting Bhojon →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could manipulate order totals, causing financial losses through incorrect billing, order processing errors, or inventory discrepancies that disrupt restaurant operations.

🟠

Likely Case

Manipulation of checkout parameters leading to incorrect order pricing, potential revenue loss, or order processing failures.

🟢

If Mitigated

With proper input validation and business logic controls, impact would be limited to failed exploitation attempts with no operational disruption.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit details are publicly available on GitHub and VulDB. The vulnerability requires manipulation of specific parameters in checkout requests.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch available. Vendor has not responded to disclosure. Consider workarounds or alternative solutions.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement server-side validation for all checkout parameters to ensure they match expected values and formats.

Implement validation in /hungry/placeorder endpoint code

Web Application Firewall Rules

all

Deploy WAF rules to block suspicious parameter manipulation in checkout requests.

Configure WAF to monitor and block unusual patterns in orggrandTotal, vat, service_charge, grandtotal parameters

🧯 If You Can't Patch

Isolate the restaurant management system behind a firewall with strict access controls
Implement additional monitoring and alerting for unusual checkout activity

🔍 How to Verify

Check if Vulnerable:

Test if the /hungry/placeorder endpoint accepts manipulated orggrandTotal/vat/service_charge/grandtotal parameters that affect checkout calculations.

Check Version:

Check system version in admin panel or configuration files for version 20260116 or earlier

Verify Fix Applied:

Verify that parameter manipulation no longer affects checkout calculations and all inputs are properly validated.

📡 Detection & Monitoring

Log Indicators:

Unusual parameter values in /hungry/placeorder requests
Multiple failed checkout attempts with manipulated totals

Network Indicators:

HTTP requests to /hungry/placeorder with unusual parameter patterns
Rapid checkout attempts with varying totals

SIEM Query:

source="web_logs" AND uri="/hungry/placeorder" AND (param="orggrandTotal" OR param="vat" OR param="service_charge" OR param="grandtotal") AND value NOT LIKE expected_pattern

📊 Metadata

CVE ID: CVE-2026-1599

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CWE: CWE-840

EPSS Score: 0.01% exploit probability (1.3th percentile)

Published: January 29, 2026

Last Updated: February 19, 2026

🔗 References

https://github.com/4m3rr0r/PoCVulDb/issues/13 Exploit,Issue Tracking,Mitigation
https://vuldb.com/?ctiid.343361 Permissions Required,VDB Entry
https://vuldb.com/?id.343361 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.740740 Third Party Advisory,VDB Entry
https://www.youtube.com/watch?v=n7xLBAOrKAU Exploit

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-1599, you might also want to check these: