{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-30532", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-03-27T20:17:27.795Z", "dateReserved": "2026-03-04T00:00:00.000Z", "datePublished": "2026-03-27T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-27T15:18:53.950Z"}, "descriptions": [{"lang": "en", "value": "A SQL Injection vulnerability exists in SourceCodester Online Food Ordering System v1.0 in the admin/view_product.php file via the \"id\" parameter."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/meifukun/Web-Security-PoCs/blob/main/Online-Food-Ordering-System/SQLi-ViewProduct-id.md"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-89", "lang": "en", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-27T20:16:14.641080Z", "id": "CVE-2026-30532", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T20:17:27.795Z"}}]}, "dataVersion": "5.2"}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A SQL Injection vulnerability exists in SourceCodester Online Food Ordering System v1.0 in the admin/view_product.php file via the \"id\" parameter."}], "id": "CVE-2026-30532", "lastModified": "2026-03-27T16:16:23.803", "metrics": {}, "published": "2026-03-27T16:16:23.803", "references": [{"source": "cve@mitre.org", "url": "https://github.com/meifukun/Web-Security-PoCs/blob/main/Online-Food-Ordering-System/SQLi-ViewProduct-id.md"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Received"}

{}

{"analysis": {"en": {"generated_at": "2026-03-27T16:24:48.100861+00:00", "value": {"mitigation_remediation": ["If an official patch or upgrade is released by SourceCodester, apply it immediately.", "Validate and sanitize all input parameters in the view_product.php script. Use prepared statements or parameterized queries instead of direct string concatenation.", "Limit database privileges for the application user to the minimum necessary actions.", "Disable error details that may reveal SQL structure to an attacker.", "Monitor web application logs for anomalous queries or repeated failed login attempts."], "summary": {"action": "Apply Patch", "impact": "Potential unauthorized data access through SQL injection"}, "threat_synthesis": {"affected_systems": "SourceCodester Online Food Ordering System version 1.0 is affected. No other products or versions are listed. The vulnerability resides in the admin module, specifically the view_product.php file.", "description_and_impact": "This vulnerability allows an attacker to inject arbitrary SQL code via the \"id\" parameter in the admin view_product.php script of SourceCodester Online Food Ordering System v1.0. The injection could be used to read, modify, or delete data in the underlying database, resulting in loss of confidentiality, integrity, and availability of sensitive information. The description indicates a typical SQL injection weakness (CWE\u201189).", "risk_and_exploitability": "The exact CVSS score is not provided, but SQL injection vulnerabilities are often considered high risk because they can be exploited from external input. No EPSS score is available, so the likelihood of exploitation cannot be quantified. The vulnerability is not listed in the CISA KEV catalog, suggesting it may not yet be actively exploited publicly. The attack vector is inferred to be remote, via manipulation of the URL parameter \"id\"."}}}}, "created": "2026-03-27T20:29:00.822091+00:00", "title": "SQL Injection in Admin Product View on SourceCodester Online Food Ordering System", "updated": "2026-03-27T20:29:00.822118+00:00", "vendors": [], "weaknesses": ["CWE-89"]}