CVE-2026-14622 in restaurant-website-php-mysql
Summary
by MITRE • 07/04/2026
A vulnerability was found in jairiidriss restaurant-website-php-mysql up to 521428b5b612449df0cf4a5d15ee40cba67f3d35. This vulnerability affects unknown code of the file /admin/ajax_files of the component AJAX Endpoint. Performing a manipulation results in missing authentication. The attack is possible to be carried out remotely. The exploit has been made public and could be used. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. The project was informed of the problem early through an issue report but has not responded yet.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 07/04/2026
This vulnerability represents a critical authentication bypass flaw in the jairiidriss restaurant-website-php-mysql application's administrative interface. The issue resides within the AJAX endpoint functionality located at /admin/ajax_files, where insufficient access controls allow unauthorized users to manipulate the system without proper authentication credentials. The vulnerability affects the application's core administrative components and demonstrates a fundamental failure in implementing proper security checks before processing sensitive operations. This type of flaw directly violates security best practices and creates an avenue for malicious actors to gain unauthorized access to administrative functions.
The technical implementation of this vulnerability stems from inadequate input validation and authentication verification within the AJAX handler files. Attackers can exploit this weakness through remote execution by crafting specific requests that bypass the normal authentication flow required for administrative access. The rolling release strategy employed by this project complicates remediation efforts as there are no clear version boundaries to identify affected releases, making it difficult for users to determine their exposure level. This approach to software delivery, while beneficial for continuous updates, creates challenges in vulnerability management and patch tracking for end users who may be running various intermediate versions.
From an operational impact perspective, this vulnerability allows attackers to perform administrative actions without authorization, potentially leading to full system compromise including data manipulation, user account modification, content injection, and privilege escalation. The public availability of exploit code significantly increases the risk level as it removes the need for advanced technical skills to execute the attack. The lack of response from the project maintainers after being informed through issue reporting creates additional security concerns, as users may be left vulnerable for extended periods without official guidance or patches.
Security professionals should consider this vulnerability in relation to CWE-287 which addresses improper authentication issues and ATT&CK technique T1078 for valid accounts usage. Organizations using this application should implement immediate compensating controls such as network segmentation, web application firewalls, and monitoring of administrative endpoints. The absence of version-specific information makes it essential for users to conduct thorough security assessments of their installations and consider alternative authentication mechanisms or temporary access restrictions until proper patches are available. This incident highlights the importance of maintaining responsive vulnerability disclosure processes and the risks associated with software projects that do not provide clear release information for security tracking purposes.