Description
A SQL Injection vulnerability exists in SourceCodester Online Food Ordering System v1.0 in admin/manage_category.php via the "id" parameter.
Published: 2026-03-27
Score: 8.3 High
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection allows execution of arbitrary SQL commands on the database
Action: Mitigate
AI Analysis

Impact

The vulnerability lies in the way the admin/manage_category.php script handles the "id" parameter, allowing an attacker to inject malicious SQL code. This flaw can enable the execution of arbitrary SQL statements, potentially granting the attacker read, modify, or delete rights on the underlying database. In a high‑privilege scenario the attacker could compromise entire user data sets or business records.

Affected Systems

SourceCodester Online Food Ordering System version 1.0, specifically the admin category management component accessed via manage_category.php. No other product versions are presently listed as affected.

Risk and Exploitability

No EPSS score or KEV designation is available, and the severity rating is not provided, which suggests limited public exploitation data. Nonetheless, the flaw is reasonably exploitable given that it accepts a publicly accessible parameter. An attacker who can reach the admin interface—whether through compromised credentials or an exposed management endpoint—could manipulate database contents. The risk includes unauthorized access to sensitive data or service disruption through data corruption.

Generated by OpenCVE AI on March 27, 2026 at 16:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Online Food Ordering System to the latest version if a vendor patch is available
  • Modify admin/manage_category.php so that the "id" parameter is validated as a numeric value before use
  • Rewrite the database query to use prepared statements or parameterized queries to eliminate direct inclusion of user input
  • Configure the web application firewall to detect and block SQL injection patterns on this endpoint
  • Audit the application logs for suspicious query patterns and investigate any anomalous activity

Generated by OpenCVE AI on March 27, 2026 at 16:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 28 Mar 2026 03:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Title SQL Injection in Admin Manage Category for Online Food Ordering System
Weaknesses CWE-89

Fri, 27 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
Description A SQL Injection vulnerability exists in SourceCodester Online Food Ordering System v1.0 in admin/manage_category.php via the "id" parameter.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-27T20:09:18.865Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-30534

cve-icon Vulnrichment

Updated: 2026-03-27T20:08:51.205Z

cve-icon NVD

Status : Received

Published: 2026-03-27T16:16:24.030

Modified: 2026-03-27T21:17:22.233

Link: CVE-2026-30534

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T20:28:58Z

Weaknesses