CVE-2026-7297
Description
A vulnerability was determined in SourceCodester Pizzafy Ecommerce System 1.0. This vulnerability affects the function save_user of the file /admin/ajax.php?action=save_user. Executing a manipulation of the argument Name can lead to cross site scripting. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A stored XSS vulnerability in SourceCodester Pizzafy Ecommerce System 1.0 allows remote attackers to inject arbitrary web script via the Name parameter in save_user.
The vulnerability affects the save_user function in /admin/ajax.php?action=save_user. The Name parameter is not properly sanitized, allowing an attacker to inject arbitrary JavaScript or HTML code. This is a classic stored cross-site scripting issue [1].
The attack can be executed remotely without authentication? The description states it can be executed remotely, but the affected endpoint is in the admin panel, which typically requires authentication. However, the exact prerequisites are not specified [1].
Successful exploitation enables an attacker to execute arbitrary script in the context of the application, potentially leading to data theft, session hijacking, or other malicious actions within the admin interface [1].
As of publication, a patch has not been released by the vendor. The exploit has been publicly disclosed, increasing the risk of attacks [1].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: = 1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5News mentions
0No linked articles in our index yet.