CVE-2026-10704 - Vulnerability Details

- SourceCodester Pizzafy E-Commerce System Administrative Control Panel admin_class_novo.php login sql injection

Description

A vulnerability was detected in SourceCodester Pizzafy E-Commerce System 1.0. Affected by this vulnerability is the function Login of the file /admin/admin_class_novo.php of the component Administrative Control Panel. The manipulation of the argument Username results in sql injection. The attack can be executed remotely. The exploit is now public and may be used.

Published: 2026-06-03

Score: 6.9 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is an unauthenticated SQL injection in the login function of admin_class_novo.php, which allows a remote attacker to send crafted input through the Username field. Based on the description, it is inferred that no prior authentication is required to exploit the injection, as the vulnerability occurs in the login process itself. The injection can modify or retrieve data from the underlying database, potentially leading to unauthorized disclosure, alteration, or in worst case escalation to further exploitation if additional code execution is possible. The flaw derives from the lack of proper input validation and quoting, as identified by CWE-74 and CWE-89.

Affected Systems

SourceCodester Pizzafy E‑Commerce System, version 1.0. The vulnerability exists in the Administrative Control Panel component and specifically in the /admin/admin_class_novo.php file used for user authentication.

Risk and Exploitability

The CVSS base score of 6.9 indicates moderate severity with remote access and exploitation potential. EPSS data is unavailable so the likelihood cannot be quantified, and the vulnerability is not listed in the CISA KEV catalog. Attackers can reach the vulnerable endpoint from the public Internet, making the risk significant for exposed installations. Because authentication is not required to trigger the injection, any unauthenticated user can exploit this flaw once the endpoint is reachable. The public exploit demonstrates that the flaw can be leveraged in the wild, so organizations should treat it as an active threat.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

SourceCodester

Pizzafy E-Commerce System

affected

Version	Status	Constraints
`1.0`	affected	—

No data.

Vendor Product Confidence Versions

Sourcecodester

Pizzafy Ecommerce System

95%

Version	Status	Scheme	Platform
`[1.0,1.0]`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

If a vendor patch or newer version is available, upgrade the Pizzafy E‑Commerce System to that version.
Restrict external access to the administrative control panel using firewall rules or IP whitelisting to limit exposure to trusted administrators.
Implement input validation or parameterized queries for the Username field to prevent SQL injection; consider adding a web application firewall to block malicious payloads.

Generated by OpenCVE AI on June 3, 2026 at 03:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00033.

Exploitation poc

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/nuiifornet/A033/blob/main/pizzafy-vulnerability.md
https://vuldb.com/cve/CVE-2026-10704
https://vuldb.com/submit/831321
https://vuldb.com/vuln/368017
https://vuldb.com/vuln/368017/cti
https://www.sourcecodester.com/

History

Wed, 03 Jun 2026 14:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 03 Jun 2026 04:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Sourcecodester pizzafy Ecommerce System
Vendors & Products		Sourcecodester pizzafy Ecommerce System

Wed, 03 Jun 2026 02:30:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was detected in SourceCodester Pizzafy E-Commerce System 1.0. Affected by this vulnerability is the function Login of the file /admin/admin_class_novo.php of the component Administrative Control Panel. The manipulation of the argument Username results in sql injection. The attack can be executed remotely. The exploit is now public and may be used.
Title		SourceCodester Pizzafy E-Commerce System Administrative Control Panel admin_class_novo.php login sql injection
First Time appeared		Sourcecodester Sourcecodester pizzafy E-commerce System
Weaknesses		CWE-74 CWE-89
CPEs		cpe:2.3:a:sourcecodester:pizzafy_e-commerce_system::::::::
Vendors & Products		Sourcecodester Sourcecodester pizzafy E-commerce System
References		https://github.com/nuiifornet/A033/blob/main/pizzafy-vulnerability.md https://vuldb.com/cve/CVE-2026-10704 https://vuldb.com/submit/831321 https://vuldb.com/vuln/368017 https://vuldb.com/vuln/368017/cti https://www.sourcecodester.com/
Metrics		cvssV2_0 `{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Sourcecodester Pizzafy E-commerce System Pizzafy Ecommerce System

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-06-03T00:45:08.307Z

Updated: 2026-06-03T13:44:16.152Z

Reserved: 2026-06-02T17:44:18.615Z

Link: CVE-2026-10704

Vulnrichment

Updated: 2026-06-03T13:44:10.348Z

NVD

Status : Received

Published: 2026-06-03T02:16:17.200

Modified: 2026-06-03T02:16:17.200

Link: CVE-2026-10704

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-03T04:00:13Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object