CVE-2026-13499
MediumCVSS 4.3Exploitation Probability (EPSS)
Low risk20th percentile — higher than 20% of all known CVEs
Summary
A stored XSS vulnerability was found in the yashpokharna2555 restaurant management system in login_register.php. Manipulating the Username parameter in the Registration Handler allows remote script execution. The exploit is public and the vendor has not responded.
Risk Assessment
An attacker can remotely inject malicious scripts, leading to session hijacking, redirects, or data theft. The lack of a patch increases the risk in production environments.
Recommendation
Immediately disable or isolate the system until an update is released. Apply input filtering (e.g., htmlspecialchars) to the Username parameter and consider using a WAF.
Original NVD description (English source)
A security flaw has been discovered in yashpokharna2555 restaurent-management-system. This impacts an unknown function of the file login_register.php of the component Registration Handler. Performing a manipulation of the argument Username results in cross site scripting. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The project was informed of the problem early through an issue report but has not responded yet.

