CVE-2026-30533
Published: 27 March 2026
Summary
CVE-2026-30533 is a critical-severity SQL Injection (CWE-89) vulnerability in Oretnom23 Online Food Ordering System. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents SQL injection by validating and sanitizing the unsanitized 'id' parameter in admin/manage_product.php before database query execution.
Remediates the SQL injection flaw through identification, correction, and testing of updates like prepared statements in the vulnerable file.
Monitors system activity to detect exploitation indicators such as anomalous database queries or unauthorized data access resulting from SQL injection.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in unauthenticated, network-accessible web application endpoint directly enables T1190 (Exploit Public-Facing Application) for initial access, arbitrary query execution, data exfiltration, manipulation, or denial of service.
NVD Description
A SQL Injection vulnerability exists in SourceCodester Online Food Ordering System v1.0 in the admin/manage_product.php file via the "id" parameter.
Deeper analysisAI
CVE-2026-30533 is a SQL injection vulnerability (CWE-89) affecting SourceCodester Online Food Ordering System version 1.0. The flaw resides in the admin/manage_product.php file, where the "id" parameter fails to properly sanitize user input, allowing malicious SQL queries to be injected. This critical issue, published on 2026-03-27, carries a CVSS v3.1 base score of 9.8, reflecting its high severity due to network accessibility, low attack complexity, and lack of prerequisites.
Remote attackers without authentication can exploit this vulnerability by sending crafted requests to the vulnerable endpoint. Successful exploitation enables arbitrary SQL query execution, potentially leading to high-impact outcomes such as unauthorized data exfiltration (confidentiality), database manipulation or deletion (integrity), and service disruption (availability), all without requiring user interaction or privileges.
A proof-of-concept exploit is detailed in the referenced GitHub repository at https://github.com/meifukun/Web-Security-PoCs/blob/main/Online-Food-Ordering-System/SQLi-ManageProduct-id.md, which demonstrates the injection technique but does not specify official patches or mitigation steps from the vendor. Security practitioners should isolate affected systems, apply input validation and prepared statements as interim defenses, and monitor for anomalous database activity until vendor guidance emerges.
Details
- CWE(s)