Description
A vulnerability has been found in SourceCodester Pizzafy Ecommerce System 1.0. This impacts the function save_category of the file /admin/ajax.php?action=save_category. Such manipulation of the argument Name leads to sql injection. The attack may be performed from remote. The exploit has been disclosed to the public and may be used.
Published: 2026-04-28
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection
Action: Apply Patch
AI Analysis

Impact

A vulnerability in the save_category function of /admin/ajax.php allows an attacker to inject arbitrary SQL through manipulation of the Name parameter. The injection is not limited by authentication and can be performed remotely, potentially enabling the execution of SQL commands that may read, alter or delete data in the underlying database.

Affected Systems

The affected application is SourceCodester Pizzafy Ecommerce System version 1.0. No other products or versions were identified in the CNA data.

Risk and Exploitability

The CVSS base score of 5.3 indicates a medium severity. EPSS is not available and the vulnerability is not listed in the CISA KEV catalog, suggesting it is not actively exploited yet. However, because the flaw permits remote SQL injection, an attacker with network access could compromise the database, which could result in data breach or compromise of the application state.

Generated by OpenCVE AI on April 28, 2026 at 12:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a patched release of Pizzafy Ecommerce System that addresses the SQL injection in ajax.php.
  • Ensure the database account used by the application has the least privileges required; remove any ability to execute administrative commands.
  • Modify the application to use parameterized queries or properly escape all user input, especially the Name field, to prevent SQL injection.
  • If an upgrade is not available, deploy a web application firewall or input sanitization layer to block suspicious SQL patterns and monitor database logs for abnormal activity.

Generated by OpenCVE AI on April 28, 2026 at 12:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Sourcecodester
Sourcecodester pizzafy Ecommerce System
Vendors & Products Sourcecodester
Sourcecodester pizzafy Ecommerce System

Tue, 28 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 28 Apr 2026 11:30:00 +0000

Type Values Removed Values Added
Description A vulnerability has been found in SourceCodester Pizzafy Ecommerce System 1.0. This impacts the function save_category of the file /admin/ajax.php?action=save_category. Such manipulation of the argument Name leads to sql injection. The attack may be performed from remote. The exploit has been disclosed to the public and may be used.
Title SourceCodester Pizzafy Ecommerce System ajax.php save_category sql injection
Weaknesses CWE-74
CWE-89
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Sourcecodester Pizzafy Ecommerce System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-28T11:54:52.915Z

Reserved: 2026-04-28T05:23:27.340Z

Link: CVE-2026-7268

cve-icon Vulnrichment

Updated: 2026-04-28T11:54:48.164Z

cve-icon NVD

Status : Received

Published: 2026-04-28T12:16:02.500

Modified: 2026-04-28T12:16:02.500

Link: CVE-2026-7268

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T12:30:30Z

Weaknesses