SQL Injection Vulnerability in Order Up Online Ordering System by Order Up
CVE-2026-24494

9.8CRITICAL

Key Information:

Vendor: Order Up
Status: Online Ordering System
Vendor: CVE Published:; 23 February 2026

What is CVE-2026-24494?

The Order Up Online Ordering System 1.0 is susceptible to an SQL Injection vulnerability through the /api/integrations/getintegrations endpoint. This flaw enables unauthenticated attackers to manipulate the system by injecting malicious SQL code via the store_id parameter in a POST request. If exploited, this vulnerability could lead to unauthorized access to sensitive backend database information, posing significant risks to data integrity and security.

Affected Version(s)

Online Ordering System Windows 1.0

References

https://www.spartanssec.com/post/multiple-unauthenticated...

third-party-advisory

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 23, 2026
Vulnerability Reserved
Jan 23, 2026

Credit

Subhash Paudel

CVE-2026-24494 Data

JSON