This vulnerability is a stored XSS in SourceCodester Online Food Ordering System v1.0's admin panel Category management module. The application does not properly sanitize input entered into the "Category Name" field when creating or updating categories. As a result, an attacker with administrative privileges can inject JavaScript code that is stored and later executed in the browsers of users viewing the category list or any page rendering that category. The CVSS score is 4.8 (medium severity) with vector CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N, indicating network attack vector, low attack complexity, high privileges required, user interaction needed, scope changed, and low impact on confidentiality and integrity, no impact on availability.

Successful exploitation allows an attacker with administrative privileges to inject malicious scripts that execute in the context of other users' browsers when they view the affected category pages. This can lead to partial confidentiality and integrity loss, such as theft of session tokens or manipulation of displayed content. There is no direct impact on system availability. No known exploits are reported in the wild.

No official patch or fix is currently documented for this vulnerability. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, administrators should avoid entering untrusted input into the "Category Name" field and consider applying manual input sanitization or output encoding in the application code to prevent script injection. Monitoring for updates from the vendor is recommended.