Description
A SQL Injection vulnerability exists in SourceCodester Online Food Ordering System v1.0 in the Actions.php file (specifically the save_category action). The application fails to properly sanitize user input supplied to the "name" parameter. This allows an authenticated attacker to inject malicious SQL commands.
Published: 2026-03-27
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Database Access
Action: Apply Patch
AI Analysis

Impact

A SQL injection flaw exists in the save_category action of the Actions.php script within SourceCodester Online Food Ordering System version 1.0. The application does not properly sanitize the \"name\" input, allowing an authenticated user to inject and execute arbitrary SQL statements. This can lead to unauthorized data modification, disclosure, or possible database compromise, representing a high‑risk vulnerability classified as CWE-89.

Affected Systems

The vulnerability affects SourceCodester Online Food Ordering System, specifically version 1.0, where category data is managed via the Actions.php file.

Risk and Exploitability

Exploitation requires an authenticated session with the application; therefore, attackers must first obtain valid credentials. Once authenticated, the attacker can craft a request to the save_category endpoint with malicious SQL payloads. No EPSS score is available and the flaw is not listed in the CISA KEV catalog, but the lack of input validation and the potential for data integrity and confidentiality loss make the risk high.

Generated by OpenCVE AI on March 27, 2026 at 17:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any vendor patch or upgrade to the latest version of the application.
  • Implement input validation or use prepared statements for all database interactions, especially the \"name\" field in Actions.php.
  • Restrict category management privileges to trusted administrators only.
  • Review and audit database logs for unauthorized changes.
  • If an immediate upgrade is not possible, temporarily disable the category creation feature.

Generated by OpenCVE AI on March 27, 2026 at 17:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 28 Mar 2026 03:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Title SQL Injection in Category Creation of Online Food Ordering System
Weaknesses CWE-89

Fri, 27 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
Description A SQL Injection vulnerability exists in SourceCodester Online Food Ordering System v1.0 in the Actions.php file (specifically the save_category action). The application fails to properly sanitize user input supplied to the "name" parameter. This allows an authenticated attacker to inject malicious SQL commands.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-27T20:04:55.643Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-30531

cve-icon Vulnrichment

Updated: 2026-03-27T20:04:21.095Z

cve-icon NVD

Status : Received

Published: 2026-03-27T16:16:23.687

Modified: 2026-03-27T21:17:21.710

Link: CVE-2026-30531

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T20:25:57Z

Weaknesses