Cyber Resilience

CVE-2026-30532

CriticalPublic PoC

Published: 27 March 2026

Published
27 March 2026
Modified
30 March 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0033 24.6th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-30532 is a critical-severity SQL Injection (CWE-89) vulnerability in Oretnom23 Online Food Ordering System. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-30532 is a SQL injection vulnerability (CWE-89) affecting SourceCodester Online Food Ordering System version 1.0. The flaw resides in the admin/view_product.php file, where the "id" parameter fails to properly sanitize user input, allowing malicious SQL payloads to be injected into backend database queries. The vulnerability carries a CVSS v3.1 base score of 9.8 (Critical), reflecting its network accessibility, low attack complexity, lack of required privileges or user interaction, and high impacts on confidentiality, integrity, and availability.

Unauthenticated remote attackers can exploit this vulnerability over the network by sending crafted requests to the vulnerable endpoint. Successful exploitation enables arbitrary SQL query execution, potentially allowing full database compromise, including data extraction, modification, or deletion, as well as potential escalation to server-level access depending on database privileges and configuration.

A proof-of-concept demonstrating the SQL injection is available in the GitHub repository at https://github.com/meifukun/Web-Security-PoCs/blob/main/Online-Food-Ordering-System/SQLi-ViewProduct-id.md. No official advisories or patches are referenced in available information.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A SQL Injection vulnerability exists in SourceCodester Online Food Ordering System v1.0 in the admin/view_product.php file via the "id" parameter.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SQL injection in unauthenticated public-facing web endpoint (admin/view_product.php) directly maps to T1190 for remote initial access and arbitrary query execution against the backend database.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-30531Same product: Oretnom23 Online Food Ordering System
CVE-2026-30529Same product: Oretnom23 Online Food Ordering System
CVE-2026-30533Same product: Oretnom23 Online Food Ordering System
CVE-2026-30530Same product: Oretnom23 Online Food Ordering System
CVE-2026-30534Same product: Oretnom23 Online Food Ordering System
CVE-2025-2387Same product: Oretnom23 Online Food Ordering System
CVE-2026-26706Same vendor: Oretnom23
CVE-2026-26892Same vendor: Oretnom23
CVE-2026-26707Same vendor: Oretnom23
CVE-2026-26705Same vendor: Oretnom23

Affected Assets

oretnom23
online food ordering system
1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the lack of sanitization on the 'id' parameter in admin/view_product.php by enforcing input validation mechanisms to block SQL injection payloads.

prevent

Restricts the 'id' parameter to valid formats such as integers, preventing malicious SQL strings from being processed in backend queries.

prevent

Requires identification, reporting, and correction of the specific SQL injection flaw in admin/view_product.php to eliminate the vulnerability.

References