Description
A SQL Injection vulnerability exists in SourceCodester Online Food Ordering System v1.0 in the admin/manage_product.php file via the "id" parameter.
Published: 2026-03-27
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Data Compromise
Action: Assess Impact
AI Analysis

Impact

An attacker can inject SQL code through the "id" query parameter in the admin/manage_product.php page of the SourceCodester Online Food Ordering System. This flaw allows the attacker to read, modify or delete product records in the database, potentially exposing sensitive information or disrupting inventory data. The weakness corresponds to the classic "SQL Injection" category of input validation failures (CWE‑89).

Affected Systems

Only the SourceCodester Online Food Ordering System version 1.0 is affected, specifically its admin interface where the manage_product.php script resides. No other vendors or products are listed in the CNA data.

Risk and Exploitability

No CVSS or EPSS score is provided, and the vulnerability is not listed in CISA’s KEV catalog, so the exact likelihood of exploitation cannot be quantified. The most likely attack vector is a web request to the vulnerable endpoint with a crafted "id" value, which an attacker could send from any network that can reach the application. If exploited, the attacker would gain the same database privileges as the application, posing a high risk to confidentiality, integrity, and availability of product data.

Generated by OpenCVE AI on March 27, 2026 at 16:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify whether your installation uses SourceCodester Online Food Ordering System v1.0 and whether the admin/manage_product.php endpoint is present.
  • If an update or patch exists from the project maintainer, upgrade immediately to the latest version.
  • If no patch is available, modify the application code to validate and sanitize the "id" input and rewrite the database query to use prepared statements or parameter binding.
  • Ensure that access to the admin area requires proper authentication and role‑based authorization so only privileged users can reach the vulnerable page.
  • Regularly inspect web server logs for abnormal requests to manage_product.php and block or rate‑limit suspicious IP addresses.
  • Run a web application vulnerability scanner after applying changes to confirm the SQL injection vector is closed.

Generated by OpenCVE AI on March 27, 2026 at 16:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 28 Mar 2026 03:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-89
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Title SQL Injection in SourceCodester Online Food Ordering System Admin/manage_product.php

Fri, 27 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
Description A SQL Injection vulnerability exists in SourceCodester Online Food Ordering System v1.0 in the admin/manage_product.php file via the "id" parameter.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-27T20:13:29.182Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-30533

cve-icon Vulnrichment

Updated: 2026-03-27T20:12:51.780Z

cve-icon NVD

Status : Received

Published: 2026-03-27T16:16:23.917

Modified: 2026-03-27T21:17:22.060

Link: CVE-2026-30533

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T20:28:59Z

Weaknesses