Cyber Resilience

CVE-2026-30529

HighPublic PoC

Published: 27 March 2026

Published
27 March 2026
Modified
30 March 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0045 35.5th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-30529 is a high-severity SQL Injection (CWE-89) vulnerability in Oretnom23 Online Food Ordering System. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 35.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-30529, published on 2026-03-27, is a SQL injection vulnerability (CWE-89) affecting SourceCodester Online Food Ordering System version 1.0. The flaw exists in the Actions.php file, specifically within the save_user action, where the application fails to properly sanitize user-supplied input in the "username" parameter. This allows attackers to inject malicious SQL commands. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity.

An authenticated attacker with low privileges (PR:L) can exploit this vulnerability remotely over the network (AV:N) with low attack complexity (AC:L) and without requiring user interaction (UI:N). Exploitation enables high-impact compromises to confidentiality, integrity, and availability (C:H/I:H/A:H), potentially allowing arbitrary SQL command execution to extract sensitive data, modify database contents, or disrupt system availability.

A proof-of-concept demonstrating the SQL injection via the username parameter is available at https://github.com/meifukun/Web-Security-PoCs/blob/main/Online-Food-Ordering-System/SQLi-Actions-saveUser-username.md. No vendor advisories or patches are detailed in the CVE references.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A SQL Injection vulnerability exists in SourceCodester Online Food Ordering System v1.0 in the Actions.php file (specifically the save_user action). The application fails to properly sanitize user input supplied to the "username" parameter. This allows an authenticated attacker to inject…

more

malicious SQL commands.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SQL injection in the public-facing Online Food Ordering System web app (Actions.php save_user) directly enables T1190 exploitation by unauthenticated network attackers after low-priv auth, with full C/I/A impact via arbitrary SQL commands.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-30531Same product: Oretnom23 Online Food Ordering System
CVE-2026-30532Same product: Oretnom23 Online Food Ordering System
CVE-2026-30533Same product: Oretnom23 Online Food Ordering System
CVE-2026-30530Same product: Oretnom23 Online Food Ordering System
CVE-2026-30534Same product: Oretnom23 Online Food Ordering System
CVE-2025-2387Same product: Oretnom23 Online Food Ordering System
CVE-2026-26706Same vendor: Oretnom23
CVE-2026-26892Same vendor: Oretnom23
CVE-2026-26707Same vendor: Oretnom23
CVE-2026-26705Same vendor: Oretnom23

Affected Assets

oretnom23
online food ordering system
1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validating and sanitizing user-supplied inputs such as the 'username' parameter to prevent SQL injection in the save_user action of Actions.php.

prevent

Enforces restrictions on inputs to the system, blocking SQL injection payloads in the 'username' parameter using allowlists or denylists.

prevent

Mandates timely identification, reporting, and remediation of the SQL injection flaw in Actions.php, preventing exploitation of this specific vulnerability.

References