Description
A Stored Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Online Food Ordering System v1.0 in the Category management module within the admin panel. The application fails to properly sanitize user input supplied to the "Category Name" field when creating or updating a category. When an administrator or user visits the Category list page (or any page where this category is rendered), the injected JavaScript executes immediately in their browser.
Published: 2026-03-27
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting that allows malicious JavaScript to execute in the browser of any administrator or user who views a category page.
Action: Apply Patch
AI Analysis

Impact

The vulnerability is a stored cross‑site scripting flaw in the Category Name field of the admin panel of the Online Food Ordering System v1.0. The application fails to sanitize or encode user input, allowing an attacker to embed malicious JavaScript that executes automatically when a page that displays the stored category is viewed. This can lead to credential theft, defacement, or execution of arbitrary actions in the victim’s browser context.

Affected Systems

The affected product is the SourceCodester Online Food Ordering System version 1.0. The flaw exists only within this version’s Category management module and requires user input in the Category Name field. Administrators or any users with write access to create or update categories can introduce the payload.

Risk and Exploitability

The CVSS score of 4.8 indicates moderate severity, and the EPSS score of less than 1% suggests a low likelihood of exploitation. The vulnerability is not in the CISA KEV catalog, yet because it is stored, it can persist until the injected code is removed and can be triggered for every visitor who renders the category. Based on the description, the likely attack vector is through the Category Management interface, requiring write access to inject the payload and a victim’s browser to execute the code.

Generated by OpenCVE AI on April 6, 2026 at 16:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Deploy the vendor’s official patch or upgrade the Online Food Ordering System to a later release that corrects the input validation flaw.
  • If no patch is available, modify the application to escape or encode the Category Name before rendering, and restrict write operations to trusted administrators only.
  • As a temporary measure, disable or remove the Category management page for non‑privileged accounts until a fix is applied.
  • Verify that the vulnerability has been remediated by testing the Category list page with a benign JavaScript payload or using a local XSS testing tool.

Generated by OpenCVE AI on April 6, 2026 at 16:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 08:00:00 +0000

Type Values Removed Values Added
Title Stored XSS in Category Management of Online Food Ordering System

Mon, 06 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N'}

Tue, 31 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
Title Stored XSS in Category Name Field of SourceCodester Online Food Ordering System v1.0

Mon, 30 Mar 2026 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Oretnom23
Oretnom23 online Food Ordering System
CPEs cpe:2.3:a:oretnom23:online_food_ordering_system:1.0:*:*:*:*:*:*:*
Vendors & Products Oretnom23
Oretnom23 online Food Ordering System
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Mon, 30 Mar 2026 08:15:00 +0000

Type Values Removed Values Added
First Time appeared Sourcecodester
Sourcecodester online Food Ordering System
Vendors & Products Sourcecodester
Sourcecodester online Food Ordering System

Fri, 27 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Title Stored XSS in Category Name Field of SourceCodester Online Food Ordering System v1.0
Weaknesses CWE-79

Fri, 27 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Description A Stored Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Online Food Ordering System v1.0 in the Category management module within the admin panel. The application fails to properly sanitize user input supplied to the "Category Name" field when creating or updating a category. When an administrator or user visits the Category list page (or any page where this category is rendered), the injected JavaScript executes immediately in their browser.
References

Subscriptions

Oretnom23 Online Food Ordering System
Sourcecodester Online Food Ordering System
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-06T13:49:46.219Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-30527

cve-icon Vulnrichment

Updated: 2026-03-31T15:52:38.937Z

cve-icon NVD

Status : Modified

Published: 2026-03-27T16:16:23.327

Modified: 2026-04-06T14:16:23.137

Link: CVE-2026-30527

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T08:08:54Z

Weaknesses