CVE-2026-30534
Published: 27 March 2026
Summary
CVE-2026-30534 is a high-severity SQL Injection (CWE-89) vulnerability in Oretnom23 Online Food Ordering System. Its CVSS base score is 8.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the SQL injection by requiring validation and sanitization of the unsanitized 'id' parameter in admin/manage_category.php.
Requires identification and timely remediation of the specific SQL injection flaw documented in this CVE.
Enforces restrictions on information inputs like the 'id' parameter to block malicious SQL payloads.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in a remotely accessible web application directly enables T1190 for exploitation of the public-facing app; facilitates T1213.006 for unauthorized database queries and data extraction; and enables T1565.001 for stored data manipulation via crafted SQL altering records.
NVD Description
A SQL Injection vulnerability exists in SourceCodester Online Food Ordering System v1.0 in admin/manage_category.php via the "id" parameter.
Deeper analysisAI
CVE-2026-30534 is a SQL injection vulnerability (CWE-89) affecting SourceCodester Online Food Ordering System version 1.0. The issue exists in the admin/manage_category.php component, where the "id" parameter fails to properly sanitize user input, allowing malicious SQL payloads to be executed. Published on 2026-03-27, it carries a CVSS v3.1 base score of 8.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L), indicating high severity due to its network accessibility and potential for significant data compromise.
A remote attacker with low privileges, such as an authenticated admin user, can exploit this vulnerability over the network with low complexity and no user interaction required. By injecting crafted SQL via the "id" parameter, the attacker can achieve high impacts on confidentiality and integrity—such as extracting sensitive data from the database or altering records—and a low impact on availability, potentially leading to unauthorized data access or manipulation within the application's backend.
A proof-of-concept demonstrating the exploitation is documented in the reference at https://github.com/meifukun/Web-Security-PoCs/blob/main/Online-Food-Ordering-System/SQLi-ManageCategory-id.md. No vendor advisories or patches are specified in the available information.
Details
- CWE(s)