Description
A SQL Injection vulnerability exists in SourceCodester Online Food Ordering System v1.0 in the Actions.php file (specifically the save_category action). The application fails to properly sanitize user input supplied to the "name" parameter. This allows an authenticated attacker to inject malicious SQL commands.
Published: 2026-03-27
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Authenticated SQL Injection
Action: Patch
AI Analysis

Impact

A SQL injection flaw exists in the save_category action of SourceCodester Online Food Ordering System v1.0. Because the application does not properly escape or validate the user supplied 'name' parameter, an authenticated user can inject arbitrary SQL statements. The vulnerability falls under CWE‑89 and allows attackers to read, modify, or delete database records, potentially exposing sensitive order data or altering application state.

Affected Systems

The affected product is SourceCodester Online Food Ordering System version 1.0, specifically the Actions.php file handling the save_category function. No other vendors or product versions are explicitly listed.

Risk and Exploitability

The CVSS v3.1 score of 8.8 rates it as High, reflecting the potential for widespread impact when exploited by an authenticated user. The EPSS score is less than 1 %, indicating a low probability of exploitation in the wild. It is not currently listed in CISA’s KEV catalog. An attacker must first authenticate to the system and then issue a crafted HTTP request to the save_category endpoint. Upon successful exploitation, the attacker can execute arbitrary SQL, compromising confidentiality, integrity, and potentially availability of the database.

Generated by OpenCVE AI on March 30, 2026 at 19:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply an updated version of the SourceCodester Online Food Ordering System if a vendor release addressing the SQL injection is available.
  • If no patch exists, modify the save_category functionality to use parameterized queries and reject unsanitized input for the name field.
  • Restrict the ability to add or edit categories to administrative users only.
  • Verify that the database account used by the application has only the minimum privileges required to perform its functions.
  • Enable logging of database queries and review logs regularly for suspicious activity.

Generated by OpenCVE AI on March 30, 2026 at 19:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 31 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
Title Authenticated SQL Injection in SourceCodester Online Food Ordering System v1.0 Allows Arbitrary SQL Execution

Mon, 30 Mar 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Oretnom23
Oretnom23 online Food Ordering System
CPEs cpe:2.3:a:oretnom23:online_food_ordering_system:1.0:*:*:*:*:*:*:*
Vendors & Products Oretnom23
Oretnom23 online Food Ordering System

Mon, 30 Mar 2026 08:15:00 +0000

Type Values Removed Values Added
First Time appeared Sourcecodester
Sourcecodester online Food Ordering System
Vendors & Products Sourcecodester
Sourcecodester online Food Ordering System

Sun, 29 Mar 2026 20:45:00 +0000

Type Values Removed Values Added
Title SQL Injection in Category Creation of Online Food Ordering System

Sat, 28 Mar 2026 03:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Title SQL Injection in Category Creation of Online Food Ordering System
Weaknesses CWE-89

Fri, 27 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
Description A SQL Injection vulnerability exists in SourceCodester Online Food Ordering System v1.0 in the Actions.php file (specifically the save_category action). The application fails to properly sanitize user input supplied to the "name" parameter. This allows an authenticated attacker to inject malicious SQL commands.
References

Subscriptions

Oretnom23 Online Food Ordering System
Sourcecodester Online Food Ordering System
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-27T20:04:55.643Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-30531

cve-icon Vulnrichment

Updated: 2026-03-27T20:04:21.095Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-27T16:16:23.687

Modified: 2026-03-30T18:18:11.070

Link: CVE-2026-30531

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T20:57:11Z

Weaknesses