CVE-2026-7294
Received Received - Intake
Stored Cross-Site Scripting in Pizzafy Ecommerce save_settings Function

Publication date: 2026-04-28

Last updated on: 2026-04-29

Assigner: VulDB

Description
A flaw has been found in SourceCodester Pizzafy Ecommerce System 1.0. Affected by this vulnerability is the function save_settings of the file /admin/index.php?page=save_settings. This manipulation of the argument Name causes cross site scripting. The attack may be initiated remotely. The exploit has been published and may be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-28
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-04-28
EPSS Evaluated
2026-06-15
NVD
CVE-2026-7294
EUVD
EUVD-2026-26138
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
sourcecodester pizzafy_ecommerce_system 1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a flaw found in the SourceCodester Pizzafy Ecommerce System 1.0, specifically in the save_settings function located in the /admin/index.php?page=save_settings file.

The issue arises from manipulation of the argument 'Name', which leads to a cross-site scripting (XSS) vulnerability.

This means an attacker can inject malicious scripts remotely through this function.

The exploit for this vulnerability has already been published and can be used by attackers.

Impact Analysis

This vulnerability allows an attacker to perform cross-site scripting (XSS) attacks by injecting malicious scripts remotely.

Such attacks can lead to unauthorized actions performed on behalf of legitimate users, potentially compromising user sessions or data integrity.

However, the CVSS scores indicate a low to medium severity with limited impact on confidentiality and availability, but some impact on integrity.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-7294. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart