Medium severity4.3NVD Advisory· Published May 8, 2026· Updated May 8, 2026

CVE-2026-8117

Description

A security vulnerability has been detected in SourceCodester Pizzafy Ecommerce System 1.0. This issue affects some unknown processing of the file /admin/index.php. Such manipulation of the argument page leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed publicly and may be used.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Cross-site scripting vulnerability in SourceCodester Pizzafy Ecommerce System 1.0 via the 'page' parameter in /admin/index.php allows remote attackers to inject arbitrary web script.

Vulnerability

CVE-2026-8117 describes a reflected cross-site scripting (XSS) vulnerability in SourceCodester Pizzafy Ecommerce System 1.0. The issue arises in the file /admin/index.php, where the page parameter is not properly sanitized before being processed. This allows an attacker to inject arbitrary HTML and JavaScript code into the response, which is then executed in the victim's browser [1].

Exploitation

The attack can be launched remotely and does not require authentication, making it accessible to any attacker who can craft a malicious URL. The exploit has been publicly disclosed, increasing the risk of widespread use [1]. The vulnerability is classified as medium severity with a CVSS v3 score of 4.3.

Impact

Successful exploitation enables an attacker to execute arbitrary scripts in the context of the victim's session. This can lead to session hijacking, credential theft, defacement, or redirection to malicious sites. Because the vulnerability is in the admin panel, it may expose administrative functions to abuse [1].

Mitigation

As of the publication date, the vendor has not released a patch or official advisory via the SourceCodester website [2]. Users are advised to apply input validation and output encoding to the page parameter or restrict access to the admin panel until a fix is available.

References

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Sourcecodester/Pizzafy Ecommerce Systemllm-create
Range: =1.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

Severity

MediumCVSS v3.1

4.3/ 10

CVSS v42.1

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack vector: Network
Complexity: Low
Privileges: None
User interaction: Required
Scope: Unchanged
Confidentiality: None
Integrity: Low
Availability: None

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

EPSS

Probability of exploitation in the next 30 days.

0.04%

VYPR risk score

Composite of severity, exploitation, and reach.

0.28low

cvss	0.280
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000

Weaknesses

CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-94
Improper Control of Generation of Code ('Code Injection')

CVE ID

CVE-2026-8117

Credits

N(
n0name (VulDB User)
reporter