Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
8DescriptionCVE.org
A security vulnerability has been detected in SourceCodester Pizzafy Ecommerce System 1.0. This issue affects the function login2 of the file /admin/ajax.php?action=login2. The manipulation of the argument e-mail leads to sql injection. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used.
AnalysisAI
SQL injection in SourceCodester Pizzafy Ecommerce System 1.0 allows remote unauthenticated attackers to compromise database confidentiality, integrity, and availability through the login2 function. The vulnerability exists in /admin/ajax.php when processing the email parameter during administrative login, enabling attackers to bypass authentication, extract sensitive data, modify records, or disrupt service. A proof-of-concept exploit has been publicly released on GitHub, significantly lowering the barrier to exploitation. CVSS 7.3 (High) reflects network-accessible attack surface with no authentication required and low attack complexity.
Technical ContextAI
This is a classic SQL injection vulnerability (CWE-89) in a PHP-based e-commerce application. The login2 function in /admin/ajax.php fails to properly sanitize or parameterize the email input parameter before constructing SQL queries for authentication. When user-supplied data from the email field is directly concatenated into SQL statements without escaping or prepared statement usage, attackers can inject malicious SQL commands that the database executes. The CPE string identifies SourceCodester Pizzafy Ecommerce System version 1.0 as affected. SourceCodester products are typically educational/demonstration code distributed through sourcecodester.com, often lacking enterprise-grade security controls. The admin context suggests this targets the administrative login interface, making it a high-value target for complete application compromise.
RemediationAI
No vendor-released patch identified at time of analysis (CVSS Ready Level: X/Unpatched). Organizations running Pizzafy Ecommerce System 1.0 in production environments must implement immediate compensating controls. Primary recommendation: Modify /admin/ajax.php to use parameterized queries (prepared statements) for all database interactions in the login2 function-replace string concatenation of the email parameter with PDO or mysqli prepared statements with bound parameters. Secondary controls: (1) Deploy a web application firewall (WAF) with SQL injection signature detection to filter malicious payloads targeting /admin/ajax.php?action=login2-note this is detection/mitigation not remediation and may be bypassed by encoding or obfuscation techniques. (2) Implement IP allowlisting for /admin/ directory access, restricting administrative interface to trusted management networks only-this reduces attack surface but does not address the underlying code vulnerability. (3) Enable database query logging and monitor for authentication anomalies or unusual SQL syntax patterns. For vulnerability details and POC code structure, reference the GitHub disclosure at https://github.com/fernando-mengali/vulndb-submissions/blob/main/03-vul-SQLI.md and VulDB entry https://vuldb.com/vuln/359826. Long-term recommendation: Migrate away from educational demonstration code to commercially-supported e-commerce platforms with dedicated security teams.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25990