CVE-2026-30529
Published: 27 March 2026
Summary
CVE-2026-30529 is a high-severity SQL Injection (CWE-89) vulnerability in Oretnom23 Online Food Ordering System. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 2.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validating and sanitizing user-supplied inputs such as the 'username' parameter to prevent SQL injection in the save_user action of Actions.php.
Enforces restrictions on inputs to the system, blocking SQL injection payloads in the 'username' parameter using allowlists or denylists.
Mandates timely identification, reporting, and remediation of the SQL injection flaw in Actions.php, preventing exploitation of this specific vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in the public-facing Online Food Ordering System web app (Actions.php save_user) directly enables T1190 exploitation by unauthenticated network attackers after low-priv auth, with full C/I/A impact via arbitrary SQL commands.
NVD Description
A SQL Injection vulnerability exists in SourceCodester Online Food Ordering System v1.0 in the Actions.php file (specifically the save_user action). The application fails to properly sanitize user input supplied to the "username" parameter. This allows an authenticated attacker to inject…
more
malicious SQL commands.
Deeper analysisAI
CVE-2026-30529, published on 2026-03-27, is a SQL injection vulnerability (CWE-89) affecting SourceCodester Online Food Ordering System version 1.0. The flaw exists in the Actions.php file, specifically within the save_user action, where the application fails to properly sanitize user-supplied input in the "username" parameter. This allows attackers to inject malicious SQL commands. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity.
An authenticated attacker with low privileges (PR:L) can exploit this vulnerability remotely over the network (AV:N) with low attack complexity (AC:L) and without requiring user interaction (UI:N). Exploitation enables high-impact compromises to confidentiality, integrity, and availability (C:H/I:H/A:H), potentially allowing arbitrary SQL command execution to extract sensitive data, modify database contents, or disrupt system availability.
A proof-of-concept demonstrating the SQL injection via the username parameter is available at https://github.com/meifukun/Web-Security-PoCs/blob/main/Online-Food-Ordering-System/SQLi-Actions-saveUser-username.md. No vendor advisories or patches are detailed in the CVE references.
Details
- CWE(s)