CVE-2026-7268

Root

Cause CVE-2026-7268 describes an SQL injection vulnerability in the Pizzafy Ecommerce System 1.0, specifically within the save_category function of /admin/ajax.php?action=save_category. The name parameter is directly concatenated into SQL queries without sanitization, as shown in the vulnerable source code where $data = " name = '$name' "; is used in both INSERT and UPDATE statements [1]. This allows an attacker to inject arbitrary SQL commands.

Attack

Vector The injection is trivially exploitable via HTTP POST requests to the vulnerable endpoint. No authentication is required, and the attack is performed remotely [1]. Using an error-based SQL injection technique, an attacker can supply crafted name values that trigger database errors revealing sensitive information, or perform blind inference to extract data row by row [1].

Impact

Successful exploitation results in full compromise of the database. An attacker can extract the entire database schema, table names, column structures, and user credentials (including password hashes). Furthermore, the attacker can delete or modify any records, leading to data integrity loss. Mass deletion could cause a denial of service, and extracted session data may allow privilege escalation to admin roles [1].

Status

As of this publication, the vendor has not released a patch. The vulnerability was publicly disclosed along with a proof-of-concept exploit, increasing the risk of active exploitation [1]. Users of the Pizzafy Ecommerce System 1.0 should apply input validation or parameterized queries immediately, or consider replacing the software if no update is forthcoming.