Cyber Resilience

CVE-2026-30533

CriticalPublic PoC

Published: 27 March 2026

Published
27 March 2026
Modified
30 March 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0039 31.2th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-30533 is a critical-severity SQL Injection (CWE-89) vulnerability in Oretnom23 Online Food Ordering System. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 31.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-30533 is a SQL injection vulnerability (CWE-89) affecting SourceCodester Online Food Ordering System version 1.0. The flaw resides in the admin/manage_product.php file, where the "id" parameter fails to properly sanitize user input, allowing malicious SQL queries to be injected. This critical issue, published on 2026-03-27, carries a CVSS v3.1 base score of 9.8, reflecting its high severity due to network accessibility, low attack complexity, and lack of prerequisites.

Remote attackers without authentication can exploit this vulnerability by sending crafted requests to the vulnerable endpoint. Successful exploitation enables arbitrary SQL query execution, potentially leading to high-impact outcomes such as unauthorized data exfiltration (confidentiality), database manipulation or deletion (integrity), and service disruption (availability), all without requiring user interaction or privileges.

A proof-of-concept exploit is detailed in the referenced GitHub repository at https://github.com/meifukun/Web-Security-PoCs/blob/main/Online-Food-Ordering-System/SQLi-ManageProduct-id.md, which demonstrates the injection technique but does not specify official patches or mitigation steps from the vendor. Security practitioners should isolate affected systems, apply input validation and prepared statements as interim defenses, and monitor for anomalous database activity until vendor guidance emerges.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A SQL Injection vulnerability exists in SourceCodester Online Food Ordering System v1.0 in the admin/manage_product.php file via the "id" parameter.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SQL injection in unauthenticated, network-accessible web application endpoint directly enables T1190 (Exploit Public-Facing Application) for initial access, arbitrary query execution, data exfiltration, manipulation, or denial of service.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-30531Same product: Oretnom23 Online Food Ordering System
CVE-2026-30529Same product: Oretnom23 Online Food Ordering System
CVE-2026-30532Same product: Oretnom23 Online Food Ordering System
CVE-2026-30530Same product: Oretnom23 Online Food Ordering System
CVE-2026-30534Same product: Oretnom23 Online Food Ordering System
CVE-2025-2387Same product: Oretnom23 Online Food Ordering System
CVE-2026-26706Same vendor: Oretnom23
CVE-2026-26892Same vendor: Oretnom23
CVE-2026-26707Same vendor: Oretnom23
CVE-2026-26705Same vendor: Oretnom23

Affected Assets

oretnom23
online food ordering system
1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents SQL injection by validating and sanitizing the unsanitized 'id' parameter in admin/manage_product.php before database query execution.

prevent

Remediates the SQL injection flaw through identification, correction, and testing of updates like prepared statements in the vulnerable file.

detect

Monitors system activity to detect exploitation indicators such as anomalous database queries or unauthorized data access resulting from SQL injection.

References