Skip to main content

SourceCodester Pizzafy Ecommerce System CVE-2026-7407

| EUVDEUVD-2026-26289 LOW
SQL Injection (CWE-89)
2026-04-29 VulDB
2.0
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.0 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

7
Severity Changed
Apr 29, 2026 - 21:22 NVD
MEDIUM LOW
CVSS changed
Apr 29, 2026 - 21:22 NVD
4.7 (MEDIUM) 2.0 (LOW)
PoC Detected
Apr 29, 2026 - 21:16 vuln.today
Public exploit code
Analysis Generated
Apr 29, 2026 - 21:00 vuln.today
EUVD ID Assigned
Apr 29, 2026 - 20:57 euvd
EUVD-2026-26289
Analysis Generated
Apr 29, 2026 - 20:57 vuln.today
CVE Published
Apr 29, 2026 - 20:30 nvd
LOW 2.0

DescriptionCVE.org

A security vulnerability has been detected in SourceCodester Pizzafy Ecommerce System 1.0. Affected by this vulnerability is the function save_settings of the file /pizzafy/admin/ajax.php?action=save_settings of the component Setting Handler. Such manipulation leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used.

AnalysisAI

SQL injection in SourceCodester Pizzafy Ecommerce System 1.0 allows authenticated high-privilege users to manipulate the save_settings function via the /pizzafy/admin/ajax.php endpoint, enabling database query modification with confidentiality, integrity, and availability impact. The vulnerability requires high-level authentication and is not remotely exploitable by unauthenticated attackers despite network-accessible endpoint; publicly available exploit code exists and the vulnerability has been disclosed.

Technical ContextAI

The vulnerability resides in the Setting Handler component's save_settings AJAX endpoint (/pizzafy/admin/ajax.php?action=save_settings), a PHP-based web application handling administrative configuration. The root cause is CWE-89 SQL Injection, indicating insufficient input validation or parameterized query usage when constructing database statements from user-supplied parameters. The attack surface is an HTTP-accessible AJAX endpoint, but exploitation requires prior authentication with high-privilege (administrator) credentials, limiting the practical attack surface in typical deployments. The CPE cpe:2.3:a:sourcecodester:pizzafy_ecommerce_system:*:*:*:*:*:*:*:* indicates the issue affects the Pizzafy Ecommerce System product line across multiple versions.

RemediationAI

Contact SourceCodester directly via https://www.sourcecodester.com/ to request a security patch or update for Pizzafy Ecommerce System 1.0, as no vendor-released patch version is identified in the available data. Immediate compensating controls should include: (1) Restrict network access to the /pizzafy/admin/ endpoint using a Web Application Firewall (WAF) or reverse proxy - only permit access from trusted internal IP ranges and require VPN for remote admin access, trading off remote administrative convenience for reduced attack surface; (2) Implement parameterized queries or prepared statements in the save_settings function if source code access is available, eliminating SQL injection at the root; (3) Apply input validation and whitelist permitted settings parameters to reject unexpected values; (4) Audit admin user accounts and disable or rotate credentials for any high-privilege accounts that may have been compromised; (5) Monitor database logs for anomalous SQL queries or execution patterns targeting the settings table. These controls do not eliminate the vulnerability but reduce exploitation probability by restricting who can reach the vulnerable endpoint.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2026-7407 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy