Description
A security vulnerability has been detected in SourceCodester Pizzafy Ecommerce System 1.0. The affected element is the function Category of the file pizza/index.php?page=category. The manipulation of the argument ID leads to sql injection. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used.
Published: 2026-04-28
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: SQL injection allowing remote data compromise
Action: Immediate Patch
AI Analysis

Impact

The vulnerability exists in the SourceCodester Pizzafy Ecommerce System 1.0, specifically in the category view within pizza/index.php. By manipulating the ID parameter, an attacker can inject arbitrary SQL statements, potentially retrieving, modifying, or deleting data from the underlying database.

Affected Systems

The affected product is SourceCodester Pizzafy Ecommerce System version 1.0.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity and the issue is publicly disclosed, making remote exploitation plausible via standard web requests. No EPSS score is available and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is remote, initiated over HTTP or HTTPS to the vulnerable page.

Generated by OpenCVE AI on April 28, 2026 at 12:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the E‑commerce system to the latest version that removes the insecure input handling.
  • If no update is available, restrict the database user used by the application to only the necessary permissions and apply least‑privilege rules.
  • Apply input validation or parameterized queries to all user‑supplied data, ensuring that the ID parameter does not allow SQL code execution.
  • Monitor web traffic for suspicious query strings containing SQL keywords and configure firewall rules to block attempted injections.
  • If the vendor provides a patch note or advisory, prioritize its deployment over ad‑hoc mitigations.

Generated by OpenCVE AI on April 28, 2026 at 12:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
First Time appeared Sourcecodester
Sourcecodester pizzafy Ecommerce System
Vendors & Products Sourcecodester
Sourcecodester pizzafy Ecommerce System
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 28 Apr 2026 10:45:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in SourceCodester Pizzafy Ecommerce System 1.0. The affected element is the function Category of the file pizza/index.php?page=category. The manipulation of the argument ID leads to sql injection. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used.
Title SourceCodester Pizzafy Ecommerce System index.php category sql injection
Weaknesses CWE-74
CWE-89
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Sourcecodester Pizzafy Ecommerce System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-28T12:31:30.330Z

Reserved: 2026-04-28T05:23:17.429Z

Link: CVE-2026-7265

cve-icon Vulnrichment

Updated: 2026-04-28T12:31:26.436Z

cve-icon NVD

Status : Received

Published: 2026-04-28T11:16:07.087

Modified: 2026-04-28T11:16:07.087

Link: CVE-2026-7265

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T13:00:14Z

Weaknesses