CVE-2026-1600 in Bhojon All-In-One Restaurant Management System
Summary
by MITRE • 01/29/2026
A vulnerability was identified in Bdtask Bhojon All-In-One Restaurant Management System up to 20260116. The impacted element is an unknown function of the file /hungry/addtocart of the component Add-to-Cart Submission Endpoint. The manipulation of the argument price/allprice leads to business logic errors. The attack can be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 01/30/2026
This vulnerability resides within the Bdtask Bhojon All-In-One Restaurant Management System version 20260116, specifically targeting the addtocart functionality located at /hungry/addtocart endpoint. The flaw manifests in an unknown function where manipulation of the price/allprice arguments results in business logic errors that can fundamentally compromise the system's financial integrity. The vulnerability's remote exploitation capability means that attackers can potentially manipulate transaction values without physical access to the system, making it particularly dangerous for online restaurant management platforms where financial transactions occur regularly.
The technical nature of this vulnerability suggests a critical business logic flaw that allows unauthorized modification of pricing parameters during cart addition operations. When attackers manipulate the price/allprice arguments, they can potentially alter the final cost calculations, leading to financial losses for restaurant operators or fraudulent transactions. This type of vulnerability typically falls under CWE-840 which categorizes business logic flaws that allow attackers to manipulate application behavior in unintended ways. The fact that the exploit is publicly available indicates that threat actors have already developed tools to leverage this weakness, increasing the risk profile significantly.
The operational impact of this vulnerability extends beyond simple financial manipulation to potentially compromise the entire transaction processing workflow within the restaurant management system. Restaurant operators relying on this platform could face unauthorized refunds, incorrect billing, or revenue loss due to manipulated pricing. The lack of vendor response after early disclosure creates a particularly concerning scenario where no official patch or mitigation guidance exists, leaving affected organizations vulnerable to exploitation. This situation aligns with ATT&CK technique T1211 which involves manipulating business logic to gain unauthorized access to resources or financial benefits.
Organizations utilizing this restaurant management system should immediately implement network-based mitigations including firewall rules that restrict access to the vulnerable endpoint and monitor for suspicious transaction patterns. The absence of vendor response necessitates proactive defensive measures such as input validation at the application level, transaction auditing, and immediate patching if alternative sources become available. Additionally, implementing transaction logging with anomaly detection capabilities can help identify potential exploitation attempts. Security teams should also consider segmenting access to the addtocart endpoint and implementing multi-factor authentication for administrative functions to reduce the attack surface. The public availability of the exploit means that organizations must prioritize immediate remediation efforts, as the window for exploitation is likely already open.