CVE-2026-30531
Published: 27 March 2026
Summary
CVE-2026-30531 is a high-severity SQL Injection (CWE-89) vulnerability in Oretnom23 Online Food Ordering System. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SC-7 (Boundary Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation and sanitization of user inputs like the 'name' parameter in Actions.php to block malicious SQL injection.
Restricts characteristics and types of inputs to the 'name' parameter, preventing oversized or malformed payloads used in SQL injection.
Enforces boundary protection with web application firewalls to inspect and block SQL injection attempts targeting the save_category action.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in a remotely accessible web application (Actions.php save_category) directly enables exploitation of public-facing applications per T1190, allowing arbitrary SQL execution with high C/I/A impact.
NVD Description
A SQL Injection vulnerability exists in SourceCodester Online Food Ordering System v1.0 in the Actions.php file (specifically the save_category action). The application fails to properly sanitize user input supplied to the "name" parameter. This allows an authenticated attacker to inject…
more
malicious SQL commands.
Deeper analysisAI
CVE-2026-30531 is a SQL injection vulnerability in SourceCodester Online Food Ordering System v1.0, published on 2026-03-27. The flaw exists in the Actions.php file, specifically the save_category action, where the application fails to properly sanitize user input supplied to the "name" parameter. This allows an authenticated attacker to inject malicious SQL commands, as classified under CWE-89, with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
An attacker with low privileges (PR:L) can exploit this vulnerability remotely over the network (AV:N) with low attack complexity (AC:L) and no user interaction required (UI:N). Successful exploitation enables injection of arbitrary SQL commands, potentially resulting in high impacts to confidentiality (C:H), integrity (I:H), and availability (A:H), such as unauthorized data access, modification, or deletion within the application's database.
A proof-of-concept demonstrating the SQL injection in the save_category action via the "name" parameter is available at https://github.com/meifukun/Web-Security-PoCs/blob/main/Online-Food-Ordering-System/SQLi-Actions-saveCategory-name.md. No official advisories or patches are detailed in the provided references.
Details
- CWE(s)