Description
A SQL Injection vulnerability exists in SourceCodester Online Food Ordering System v1.0 in the Actions.php file (specifically the save_customer action). The application fails to properly sanitize user input supplied to the "username" parameter. This allows an attacker to inject malicious SQL commands.
Published: 2026-03-27
Score: 9.8 Critical
EPSS: n/a
KEV: No
Impact: Data Compromise via Unrestricted SQL Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a classic SQL Injection originating from the save_customer action in the Actions.php script. Because the application does not escape or parameterize the username input, an attacker can inject arbitrary SQL statements, enabling the attacker to read, modify, or delete user and order data, and potentially gain elevated access to the underlying database. The weakness is an input validation flaw that permits unauthorized data exposure.

Affected Systems

The flaw exists in SourceCodester Online Food Ordering System version 1.0, specifically the Actions.php component that handles customer creation. No other vendors or product versions are listed.

Risk and Exploitability

The reported exploit relies on submitting crafted data via the public web interface, a likely exploitation vector for attackers with web-access. While no official CVSS score or EPSS data is provided, the potential to manipulate critical customer data suggests a high severity. The lack of a KEV entry indicates that there are no documented real-world exploits yet, but the straightforward injection path makes the vulnerability attractive for opportunistic attackers.

Generated by OpenCVE AI on March 27, 2026 at 17:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a version of the application in which user input is sanitized or apply the vendor's security patch.
  • Implement parameterized queries or prepared statements for all database interactions involving user input, particularly in the Actions.php save_customer action.
  • Validate the username field against a strict whitelist of acceptable characters and enforce length limits.
  • Disable detailed database error messages in production to prevent information leakage.
  • Audit all database access points for similar input validation gaps and remediate accordingly.
  • Configure application monitoring to detect unusual query patterns or failed authentication attempts.

Generated by OpenCVE AI on March 27, 2026 at 17:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Title SQL Injection in SourceCodester Online Food Ordering System v1.0

Fri, 27 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-89
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Description A SQL Injection vulnerability exists in SourceCodester Online Food Ordering System v1.0 in the Actions.php file (specifically the save_customer action). The application fails to properly sanitize user input supplied to the "username" parameter. This allows an attacker to inject malicious SQL commands.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-27T19:57:58.182Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-30530

cve-icon Vulnrichment

Updated: 2026-03-27T19:56:48.935Z

cve-icon NVD

Status : Received

Published: 2026-03-27T16:16:23.567

Modified: 2026-03-27T20:16:28.953

Link: CVE-2026-30530

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T20:25:58Z

Weaknesses