CVE-2026-7394 - Vulnerability Details

- SourceCodester Pizzafy Ecommerce System GET Parameter view_order.php sql injection

Description

A vulnerability was determined in SourceCodester Pizzafy Ecommerce System 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/view_order.php of the component GET Parameter Handler. Executing a manipulation of the argument ID can lead to sql injection. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized.

Published: 2026-04-29

Score: 5.1 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

A SQL injection flaw in the admin view_order.php page of SourceCodester Pizzafy Ecommerce System lets an attacker supply a malicious ID parameter and alter the database query. The flaw is a classic input validation weakness mapped to CWE-89, and it can lead to unauthorized reading, modification or deletion of order information. The CVSS score of 5.1 reflects the possibility of data compromise and moderate impact.

Affected Systems

The vulnerability affects SourceCodester Pizzafy Ecommerce System version 1.0, specifically the /admin/view_order.php component that processes the GET parameter ID.

Risk and Exploitability

The flaw is exploitable remotely and public exploits are available, yet no EPSS metric is published. Because it is not listed in CISA KEV, the exposure may be limited to sites that still run the unpatched version. An attacker who can send the crafted request can read or tamper with order data, potentially enabling later attacks if additional credentials can be obtained.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

SourceCodester

Pizzafy Ecommerce System

affected

Version	Status	Constraints
`1.0`	affected	—

No data.

Vendor Product Confidence Versions

Sourcecodester

Pizzafy Ecommerce System

80%

Version	Status	Scheme	Platform
`1.0`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade SourceCodester Pizzafy Ecommerce System to the latest released version or apply the vendor's official patch addressing the SQL injection in view_order.php.
Implement input validation and parameterized queries for the ID parameter in view_order.php to prevent malformed SQL from being executed.
Ensure that the database user account used by the application has only the minimum privileges required—read/write on order tables, but no broader privileges—to limit damage in the event of a successful injection.
Consider setting web application firewalls or intrusion detection systems that flag anomalous SQL patterns on the /admin/view_order.php endpoint.

Generated by OpenCVE AI on April 29, 2026 at 21:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Multiple

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

No EPSS score available.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/Xmyronn/SQL-Injection-in-Pizzafy-Ecommerce-System-admin-view_order.php.git
https://vuldb.com/submit/803523
https://vuldb.com/vuln/360119
https://vuldb.com/vuln/360119/cti
https://www.sourcecodester.com/

History

Wed, 29 Apr 2026 19:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Sourcecodester Sourcecodester pizzafy Ecommerce System
Vendors & Products		Sourcecodester Sourcecodester pizzafy Ecommerce System

Wed, 29 Apr 2026 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 29 Apr 2026 18:00:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was determined in SourceCodester Pizzafy Ecommerce System 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/view_order.php of the component GET Parameter Handler. Executing a manipulation of the argument ID can lead to sql injection. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized.
Title		SourceCodester Pizzafy Ecommerce System GET Parameter view_order.php sql injection
Weaknesses		CWE-74 CWE-89
References		https://github.com/Xmyronn/SQL-Injection-in-Pizzafy-Ecommerce-System-admin-view_order.php.git https://vuldb.com/submit/803523 https://vuldb.com/vuln/360119 https://vuldb.com/vuln/360119/cti https://www.sourcecodester.com/
Metrics		cvssV2_0 `{'score': 5.8, 'vector': 'AV:N/AC:L/Au:M/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 4.7, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Sourcecodester Pizzafy Ecommerce System

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-04-29T17:15:11.992Z

Updated: 2026-04-29T18:31:55.135Z

Reserved: 2026-04-29T09:40:14.446Z

Link: CVE-2026-7394

Vulnrichment

Updated: 2026-04-29T18:12:36.611Z

NVD

Status : Deferred

Published: 2026-04-29T18:16:05.397

Modified: 2026-04-29T21:16:21.590

Link: CVE-2026-7394

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-29T21:15:16Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Multiple

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object