Description
A SQL Injection vulnerability exists in SourceCodester Online Food Ordering System v1.0 in the Actions.php file (specifically the save_user action). The application fails to properly sanitize user input supplied to the "username" parameter. This allows an authenticated attacker to inject malicious SQL commands.
Published: 2026-03-27
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: SQL Injection allowing data access or modification
Action: Patch
AI Analysis

Impact

The vulnerability is a classic SQL injection in the save_user action of the Actions.php script for SourceCodester Online Food Ordering System version 1.0. The application fails to properly escape or validate the username parameter, enabling a malicious input to alter the underlying SQL query. This flaw can allow an authenticated user to execute arbitrary SQL commands, potentially exposing sensitive data or modifying or deleting records.

Affected Systems

Only the SourceCodester Online Food Ordering System v1.0 is affected, specifically the Actions.php file handling the save_user action.

Risk and Exploitability

No CVSS or EPSS metrics are available, and the flaw is not listed in the CISA KEV catalog. Exploitation requires prior authentication, which limits the attack surface to users with valid credentials. Once authenticated, an attacker can submit a crafted username to manipulate the SQL query, potentially gaining unauthorized database access. Because the vulnerability is not known to be actively exploited, the immediate risk is moderate, but the potential impact on confidentiality, integrity, or availability is significant if an attacker can inject SQL.

Generated by OpenCVE AI on March 27, 2026 at 17:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Deploy a patched version that sanitizes the username input in save_user.
  • If an update is unavailable, implement input validation or use parameterized queries for the username parameter.
  • Restrict access to the save_user functionality to trusted users and monitor for anomalous activity.

Generated by OpenCVE AI on March 27, 2026 at 17:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Title Authenticated SQL Injection in SourceCodester Online Food Ordering System

Fri, 27 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-89
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Description A SQL Injection vulnerability exists in SourceCodester Online Food Ordering System v1.0 in the Actions.php file (specifically the save_user action). The application fails to properly sanitize user input supplied to the "username" parameter. This allows an authenticated attacker to inject malicious SQL commands.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-27T20:01:49.659Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-30529

cve-icon Vulnrichment

Updated: 2026-03-27T20:01:20.043Z

cve-icon NVD

Status : Received

Published: 2026-03-27T16:16:23.447

Modified: 2026-03-27T20:16:28.770

Link: CVE-2026-30529

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T20:25:59Z

Weaknesses