{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-30533", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-03-27T20:13:29.182Z", "dateReserved": "2026-03-04T00:00:00.000Z", "datePublished": "2026-03-27T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-27T15:23:54.355Z"}, "descriptions": [{"lang": "en", "value": "A SQL Injection vulnerability exists in SourceCodester Online Food Ordering System v1.0 in the admin/manage_product.php file via the \"id\" parameter."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/meifukun/Web-Security-PoCs/blob/main/Online-Food-Ordering-System/SQLi-ManageProduct-id.md"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-89", "lang": "en", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-27T20:12:14.634882Z", "id": "CVE-2026-30533", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T20:13:29.182Z"}}]}, "dataVersion": "5.2"}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A SQL Injection vulnerability exists in SourceCodester Online Food Ordering System v1.0 in the admin/manage_product.php file via the \"id\" parameter."}], "id": "CVE-2026-30533", "lastModified": "2026-03-27T16:16:23.917", "metrics": {}, "published": "2026-03-27T16:16:23.917", "references": [{"source": "cve@mitre.org", "url": "https://github.com/meifukun/Web-Security-PoCs/blob/main/Online-Food-Ordering-System/SQLi-ManageProduct-id.md"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Received"}

{}

{"analysis": {"en": {"generated_at": "2026-03-27T16:50:42.401698+00:00", "value": {"mitigation_remediation": ["Verify whether your installation uses SourceCodester Online Food Ordering System v1.0 and whether the admin/manage_product.php endpoint is present.", "If an update or patch exists from the project maintainer, upgrade immediately to the latest version.", "If no patch is available, modify the application code to validate and sanitize the \"id\" input and rewrite the database query to use prepared statements or parameter binding.", "Ensure that access to the admin area requires proper authentication and role\u2011based authorization so only privileged users can reach the vulnerable page.", "Regularly inspect web server logs for abnormal requests to manage_product.php and block or rate\u2011limit suspicious IP addresses.", "Run a web application vulnerability scanner after applying changes to confirm the SQL injection vector is closed."], "summary": {"action": "Assess Impact", "impact": "Data Compromise"}, "threat_synthesis": {"affected_systems": "Only the SourceCodester Online Food Ordering System version 1.0 is affected, specifically its admin interface where the manage_product.php script resides. No other vendors or products are listed in the CNA data.", "description_and_impact": "An attacker can inject SQL code through the \"id\" query parameter in the admin/manage_product.php page of the SourceCodester Online Food Ordering System. This flaw allows the attacker to read, modify or delete product records in the database, potentially exposing sensitive information or disrupting inventory data. The weakness corresponds to the classic \"SQL Injection\" category of input validation failures (CWE\u201189).", "risk_and_exploitability": "No CVSS or EPSS score is provided, and the vulnerability is not listed in CISA\u2019s KEV catalog, so the exact likelihood of exploitation cannot be quantified. The most likely attack vector is a web request to the vulnerable endpoint with a crafted \"id\" value, which an attacker could send from any network that can reach the application. If exploited, the attacker would gain the same database privileges as the application, posing a high risk to confidentiality, integrity, and availability of product data."}}}}, "created": "2026-03-27T20:28:59.783222+00:00", "title": "SQL Injection in SourceCodester Online Food Ordering System Admin/manage_product.php", "updated": "2026-03-27T20:28:59.783260+00:00", "vendors": []}