Description
A vulnerability was detected in SourceCodester Pizzafy Ecommerce System 1.0. Impacted is the function Login of the file /admin/ajax.php?action=login. The manipulation of the argument e-mail results in sql injection. The attack can be executed remotely. The exploit is now public and may be used.
Published: 2026-04-28
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: Remote SQL Injection via login email parameter
Action: Patch
AI Analysis

Impact

The flaw allows an attacker to insert malicious SQL through the e‑mail field in the login routine at /admin/ajax.php?action=login. The injection can be performed remotely and would let the attacker retrieve or modify database contents, potentially gaining full control of the system. The weakness is an unchecked SQL query, a classic SQL injection (CWE‑89) triggered by incorrect input encoding (CWE‑74).

Affected Systems

The vulnerable product is SourceCodester Pizzafy Ecommerce System version 1.0. The flaw exists in the web application’s admin login API. No other products or versions are listed. The system is a PHP‑based e‑commerce platform that may be hosted on a typical web server with a MySQL database.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity. EPSS data is not available, and the vulnerability is not yet listed in CISA KEV. Because the attack can be triggered from any remote web client and requires no privileged context, the likelihood of exploitation is significant if the public exploit code is in circulation. Attackers can craft a specially crafted e‑mail value to extract arbitrary data or alter credentials.

Generated by OpenCVE AI on April 28, 2026 at 12:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor patch or upgrade to the latest release of SourceCodester Pizzafy Ecommerce System.
  • Restrict the database user privileges to the minimum required for the application, preventing full schema access.
  • Refactor the login code to use parameterized prepared statements or stored procedures, eliminating direct query concatenation.
  • Implement strict input validation or sanitization for the e‑mail field, rejecting any characters that could terminate the query or introduce SQL statements.

Generated by OpenCVE AI on April 28, 2026 at 12:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Sourcecodester
Sourcecodester pizzafy Ecommerce System
Vendors & Products Sourcecodester
Sourcecodester pizzafy Ecommerce System

Tue, 28 Apr 2026 05:30:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in SourceCodester Pizzafy Ecommerce System 1.0. Impacted is the function Login of the file /admin/ajax.php?action=login. The manipulation of the argument e-mail results in sql injection. The attack can be executed remotely. The exploit is now public and may be used.
Title SourceCodester Pizzafy Ecommerce System ajax.php login sql injection
Weaknesses CWE-74
CWE-89
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Sourcecodester Pizzafy Ecommerce System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-28T05:00:15.506Z

Reserved: 2026-04-27T15:43:18.261Z

Link: CVE-2026-7227

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-28T06:16:05.547

Modified: 2026-04-28T06:16:05.547

Link: CVE-2026-7227

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T12:30:31Z

Weaknesses