CVE-2026-30530
Published: 27 March 2026
Summary
CVE-2026-30530 is a critical-severity SQL Injection (CWE-89) vulnerability in Oretnom23 Online Food Ordering System. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 4.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validating and sanitizing user-supplied inputs like the 'username' parameter to block SQL injection in the save_customer action.
Mandates identification, reporting, and correction of flaws such as the SQL injection vulnerability in Actions.php.
Provides vulnerability scanning to identify SQL injection flaws like CVE-2026-30530 and remediate them based on risk assessments.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in unauthenticated public-facing web app (Actions.php save_customer) directly enables remote exploitation of Internet-facing applications per T1190.
NVD Description
A SQL Injection vulnerability exists in SourceCodester Online Food Ordering System v1.0 in the Actions.php file (specifically the save_customer action). The application fails to properly sanitize user input supplied to the "username" parameter. This allows an attacker to inject malicious…
more
SQL commands.
Deeper analysisAI
CVE-2026-30530 is a SQL injection vulnerability in the SourceCodester Online Food Ordering System version 1.0, affecting the Actions.php file in the save_customer action. The flaw arises because the application does not properly sanitize user input supplied to the "username" parameter, enabling attackers to inject malicious SQL commands. It has been assigned a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-89 (Improper Neutralization of Special Elements used in an SQL Command).
The vulnerability can be exploited by unauthenticated attackers over the network with low complexity and no user interaction required. By manipulating the "username" parameter during the save_customer action, attackers can execute arbitrary SQL queries, potentially leading to high-impact confidentiality, integrity, and availability violations, such as data exfiltration, modification, or deletion from the underlying database.
A proof-of-concept exploit is publicly available on GitHub at https://github.com/meifukun/Web-Security-PoCs/blob/main/Online-Food-Ordering-System/SQLi-Actions-saveCustomer-username.md. No official advisories or patches are referenced in the available information.
Details
- CWE(s)