Description
A security vulnerability has been detected in SourceCodester Pizzafy Ecommerce System 1.0. This issue affects the function login2 of the file /admin/ajax.php?action=login2. The manipulation of the argument e-mail leads to sql injection. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used.
Published: 2026-04-28
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: Unauthorized Database Access
Action: Apply patch
AI Analysis

Impact

The vulnerability resides in the login2 function of /admin/ajax.php, where the e‑mail argument is not properly sanitized, allowing an attacker to inject SQL statements. By exploiting this flaw, an attacker can retrieve, modify, or delete data in the backend database, leading to credential compromise, data theft, or integrity violations. The impact concerns the confidentiality, integrity, and availability of the store’s information. Based on the description, the flaw is a classic SQL injection (CWE‑89) and a form‑based injection (CWE‑74).

Affected Systems

SourceCodester Pizzafy Ecommerce System 1.0. No other versions or products are listed as affected.

Risk and Exploitability

The CVSS score of 6.9 indicates a medium severity vulnerability with remote exploitation possible. EPSS information is not available, but the exploit has been publicly disclosed and “may be used,” implying that attackers could readily construct a payload. Since the attack can be performed over the network via the publicly reachable login2 endpoint, the likelihood of exploitation is significant for exposed installations. The vulnerability is not currently listed in the CISA KEV catalog, but the public disclosure pattern suggests that it can be actively leveraged.

Generated by OpenCVE AI on April 28, 2026 at 12:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑supplied patch or upgrade to a fixed release of the Pizzafy Ecommerce System.
  • Limit access to the /admin/ajax.php endpoint using authentication or IP‑based restrictions to reduce the attack surface.
  • Implement server‑side input validation and use parameterized SQL queries for the e‑mail field to eliminate the injection vector.

Generated by OpenCVE AI on April 28, 2026 at 12:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Sourcecodester
Sourcecodester pizzafy Ecommerce System
Vendors & Products Sourcecodester
Sourcecodester pizzafy Ecommerce System

Tue, 28 Apr 2026 05:30:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in SourceCodester Pizzafy Ecommerce System 1.0. This issue affects the function login2 of the file /admin/ajax.php?action=login2. The manipulation of the argument e-mail leads to sql injection. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used.
Title SourceCodester Pizzafy Ecommerce System ajax.php login2 sql injection
Weaknesses CWE-74
CWE-89
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Sourcecodester Pizzafy Ecommerce System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-28T04:45:12.926Z

Reserved: 2026-04-27T15:43:15.212Z

Link: CVE-2026-7226

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-28T06:16:05.363

Modified: 2026-04-28T06:16:05.363

Link: CVE-2026-7226

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T12:30:31Z

Weaknesses