CVE-2026-30532
Published: 27 March 2026
Summary
CVE-2026-30532 is a critical-severity SQL Injection (CWE-89) vulnerability in Oretnom23 Online Food Ordering System. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the lack of sanitization on the 'id' parameter in admin/view_product.php by enforcing input validation mechanisms to block SQL injection payloads.
Restricts the 'id' parameter to valid formats such as integers, preventing malicious SQL strings from being processed in backend queries.
Requires identification, reporting, and correction of the specific SQL injection flaw in admin/view_product.php to eliminate the vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in unauthenticated public-facing web endpoint (admin/view_product.php) directly maps to T1190 for remote initial access and arbitrary query execution against the backend database.
NVD Description
A SQL Injection vulnerability exists in SourceCodester Online Food Ordering System v1.0 in the admin/view_product.php file via the "id" parameter.
Deeper analysisAI
CVE-2026-30532 is a SQL injection vulnerability (CWE-89) affecting SourceCodester Online Food Ordering System version 1.0. The flaw resides in the admin/view_product.php file, where the "id" parameter fails to properly sanitize user input, allowing malicious SQL payloads to be injected into backend database queries. The vulnerability carries a CVSS v3.1 base score of 9.8 (Critical), reflecting its network accessibility, low attack complexity, lack of required privileges or user interaction, and high impacts on confidentiality, integrity, and availability.
Unauthenticated remote attackers can exploit this vulnerability over the network by sending crafted requests to the vulnerable endpoint. Successful exploitation enables arbitrary SQL query execution, potentially allowing full database compromise, including data extraction, modification, or deletion, as well as potential escalation to server-level access depending on database privileges and configuration.
A proof-of-concept demonstrating the SQL injection is available in the GitHub repository at https://github.com/meifukun/Web-Security-PoCs/blob/main/Online-Food-Ordering-System/SQLi-ViewProduct-id.md. No official advisories or patches are referenced in available information.
Details
- CWE(s)