CVE-2026-7294

The vulnerability exists in SourceCodester Pizzafy Ecommerce System 1.0. The flaw is located in the save_settings function within /admin/index.php?page=save_settings. The manipulation of the Name argument allows for cross-site scripting (XSS) [1]. This is a reflected XSS vulnerability that can be triggered remotely.

An attacker can send a crafted request to the vulnerable endpoint with malicious JavaScript in the Name parameter. No authentication is required to exploit the vulnerability have been published and no authentication is required to trigger it, as the save_settings functionality is accessible without prior login [1].

Successful exploitation could allow an attacker to execute arbitrary HTML and JavaScript in the context of the victim's browser. This could lead to session hijacking, defacement, or theft of sensitive information within the application's domain of the application [1]. The impact is limited by the low privileges of the attacked component.

The vendor, SourceCodester, has been notified but the software's EOL status is unclear. [2]. A proof-of-concept exploit has been published, making the vulnerability more accessible to attackers [1]. No official advisory from the project maintainer has been identified, users should consider input validation or upgrading if a fix becomes available.