{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-30534", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-03-27T20:09:18.865Z", "dateReserved": "2026-03-04T00:00:00.000Z", "datePublished": "2026-03-27T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-27T15:21:18.216Z"}, "descriptions": [{"lang": "en", "value": "A SQL Injection vulnerability exists in SourceCodester Online Food Ordering System v1.0 in admin/manage_category.php via the \"id\" parameter."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/meifukun/Web-Security-PoCs/blob/main/Online-Food-Ordering-System/SQLi-ManageCategory-id.md"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-89", "lang": "en", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-27T20:08:18.586551Z", "id": "CVE-2026-30534", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T20:09:18.865Z"}}]}, "dataVersion": "5.2"}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A SQL Injection vulnerability exists in SourceCodester Online Food Ordering System v1.0 in admin/manage_category.php via the \"id\" parameter."}], "id": "CVE-2026-30534", "lastModified": "2026-03-27T16:16:24.030", "metrics": {}, "published": "2026-03-27T16:16:24.030", "references": [{"source": "cve@mitre.org", "url": "https://github.com/meifukun/Web-Security-PoCs/blob/main/Online-Food-Ordering-System/SQLi-ManageCategory-id.md"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Received"}

{}

{"analysis": {"en": {"generated_at": "2026-03-27T16:23:51.586058+00:00", "value": {"mitigation_remediation": ["Update the Online Food Ordering System to the latest version if a vendor patch is available", "Modify admin/manage_category.php so that the \"id\" parameter is validated as a numeric value before use", "Rewrite the database query to use prepared statements or parameterized queries to eliminate direct inclusion of user input", "Configure the web application firewall to detect and block SQL injection patterns on this endpoint", "Audit the application logs for suspicious query patterns and investigate any anomalous activity"], "summary": {"action": "Mitigate", "impact": "SQL Injection allows execution of arbitrary SQL commands on the database"}, "threat_synthesis": {"affected_systems": "SourceCodester Online Food Ordering System version 1.0, specifically the admin category management component accessed via manage_category.php. No other product versions are presently listed as affected.", "description_and_impact": "The vulnerability lies in the way the admin/manage_category.php script handles the \"id\" parameter, allowing an attacker to inject malicious SQL code. This flaw can enable the execution of arbitrary SQL statements, potentially granting the attacker read, modify, or delete rights on the underlying database. In a high\u2011privilege scenario the attacker could compromise entire user data sets or business records.", "risk_and_exploitability": "No EPSS score or KEV designation is available, and the severity rating is not provided, which suggests limited public exploitation data. Nonetheless, the flaw is reasonably exploitable given that it accepts a publicly accessible parameter. An attacker who can reach the admin interface\u2014whether through compromised credentials or an exposed management endpoint\u2014could manipulate database contents. The risk includes unauthorized access to sensitive data or service disruption through data corruption."}}}}, "created": "2026-03-27T20:28:58.713871+00:00", "title": "SQL Injection in Admin Manage Category for Online Food Ordering System", "updated": "2026-03-27T20:28:58.713904+00:00", "vendors": [], "weaknesses": ["CWE-89"]}