{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-30531", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-03-27T20:04:55.643Z", "dateReserved": "2026-03-04T00:00:00.000Z", "datePublished": "2026-03-27T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-27T15:27:24.937Z"}, "descriptions": [{"lang": "en", "value": "A SQL Injection vulnerability exists in SourceCodester Online Food Ordering System v1.0 in the Actions.php file (specifically the save_category action). The application fails to properly sanitize user input supplied to the \"name\" parameter. This allows an authenticated attacker to inject malicious SQL commands."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/meifukun/Web-Security-PoCs/blob/main/Online-Food-Ordering-System/SQLi-Actions-saveCategory-name.md"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-89", "lang": "en", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-27T20:03:47.482501Z", "id": "CVE-2026-30531", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T20:04:55.643Z"}}]}, "dataVersion": "5.2"}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A SQL Injection vulnerability exists in SourceCodester Online Food Ordering System v1.0 in the Actions.php file (specifically the save_category action). The application fails to properly sanitize user input supplied to the \"name\" parameter. This allows an authenticated attacker to inject malicious SQL commands."}], "id": "CVE-2026-30531", "lastModified": "2026-03-27T16:16:23.687", "metrics": {}, "published": "2026-03-27T16:16:23.687", "references": [{"source": "cve@mitre.org", "url": "https://github.com/meifukun/Web-Security-PoCs/blob/main/Online-Food-Ordering-System/SQLi-Actions-saveCategory-name.md"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Received"}

{}

{"analysis": {"en": {"generated_at": "2026-03-27T17:24:58.965348+00:00", "value": {"mitigation_remediation": ["Apply any vendor patch or upgrade to the latest version of the application.", "Implement input validation or use prepared statements for all database interactions, especially the \\\"name\\\" field in Actions.php.", "Restrict category management privileges to trusted administrators only.", "Review and audit database logs for unauthorized changes.", "If an immediate upgrade is not possible, temporarily disable the category creation feature."], "summary": {"action": "Apply Patch", "impact": "Unauthorized Database Access"}, "threat_synthesis": {"affected_systems": "The vulnerability affects SourceCodester Online Food Ordering System, specifically version 1.0, where category data is managed via the Actions.php file.", "description_and_impact": "A SQL injection flaw exists in the save_category action of the Actions.php script within SourceCodester Online Food Ordering System version 1.0. The application does not properly sanitize the \\\"name\\\" input, allowing an authenticated user to inject and execute arbitrary SQL statements. This can lead to unauthorized data modification, disclosure, or possible database compromise, representing a high\u2011risk vulnerability classified as CWE-89.", "risk_and_exploitability": "Exploitation requires an authenticated session with the application; therefore, attackers must first obtain valid credentials. Once authenticated, the attacker can craft a request to the save_category endpoint with malicious SQL payloads. No EPSS score is available and the flaw is not listed in the CISA KEV catalog, but the lack of input validation and the potential for data integrity and confidentiality loss make the risk high."}}}}, "created": "2026-03-27T20:25:57.296733+00:00", "title": "SQL Injection in Category Creation of Online Food Ordering System", "updated": "2026-03-27T20:25:57.296771+00:00", "vendors": [], "weaknesses": ["CWE-89"]}