CVE-2026-30527 is a stored cross-site scripting vulnerability found in the SourceCodester Online Food Ordering System version 1.0. The flaw exists in the Category management module within the admin panel, where the 'Category Name' input field does not properly sanitize user-supplied data. This allows an attacker with administrative privileges to inject malicious JavaScript code into the category name. When any user or administrator accesses the category list page or any page that renders the compromised category name, the injected script executes immediately in the victim's browser context. This stored XSS can be exploited to steal session cookies, perform actions on behalf of the victim, or deliver further malware. Although exploitation requires access to the admin panel to insert the payload, the impact extends to all users who view the affected categories. No official CVSS score has been assigned, and no public exploits have been reported yet. The vulnerability highlights the lack of proper input validation and output encoding in the application, which is critical in preventing XSS attacks. The absence of patch information suggests that users should apply manual mitigations or monitor for vendor updates.

The primary impact of this vulnerability is the compromise of user confidentiality and integrity through the execution of arbitrary JavaScript in the context of the affected web application. Attackers can hijack user sessions, steal sensitive information such as credentials or personal data, and perform unauthorized actions with the victim's privileges. Since the vulnerability is stored, it persists until the malicious input is removed, potentially affecting multiple users over time. The requirement for administrative access to inject the payload limits the initial attack vector but does not mitigate the risk to regular users who view the injected content. Organizations using this online food ordering system risk reputational damage, data breaches, and potential regulatory penalties if customer data is compromised. Additionally, attackers could leverage this vulnerability to pivot to further attacks within the network or deliver malware payloads.

To mitigate CVE-2026-30527, organizations should implement strict input validation on the 'Category Name' field to reject or sanitize any potentially malicious characters or scripts before storing them. Employing output encoding when rendering category names in the web interface is critical to prevent script execution. Access to the admin panel should be tightly controlled using strong authentication mechanisms and role-based access controls to minimize the risk of unauthorized injection. Regularly audit and sanitize existing category names to remove any malicious scripts. Monitoring web application logs for unusual input patterns or behavior can help detect exploitation attempts. Since no official patch is currently available, consider deploying a web application firewall (WAF) with rules to detect and block XSS payloads targeting this module. Finally, keep the application and its dependencies updated and monitor vendor advisories for forthcoming patches.