CVE-2026-7265

Vulnerability

Overview

An error-based SQL injection vulnerability exists in SourceCodester Pizzafy Ecommerce System version 1.0. The flaw resides in the Category functionality of the file pizza/index.php?page=category. The id parameter passed via GET request is directly concatenated into a SELECT query without sanitization or parameterization, as shown in the vulnerable code: $cid= $_GET['id'] ?? ""; ... $conn->query("SELECT * FROM category_list where id = $cid");. This allows an attacker to inject arbitrary SQL commands [1].

Attack

Vector

The vulnerability can be exploited remotely without authentication. An attacker sends a crafted HTTP GET request to the endpoint pizzafy/index.php?page=category&id=<malicious_payload>. The application reveals database errors in its output, enabling the attacker leverages error-based SQL injection techniques to extract information from error messages. The exploit has been publicly disclosed, increasing the risk of active attacks [1].

Impact

Successful exploitation can lead to full disclosure of the database schema and user credentials (confidentiality), unauthorized modification or deletion of records (integrity), and potential denial of service through mass deletion. It may also enable privilege escalation via session data extraction, potentially enabling administrator-level access [1].

Mitigation

As of the publication date, no official patch has been released. The vendor SourceCodester has not addressed this vulnerability. Users should apply input sanitization and use prepared statements (parameterized queries) for all database operations. Given the public exploit, this vulnerability may be added to CISA's Known Exploited Vulnerabilities (KEV) catalog in the future [1].