CVE-2026-8117
Cross-Site Scripting in Pizzafy Ecommerce System
Publication date: 2026-05-08
Last updated on: 2026-05-08
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sourcecodester | pizzafy_ecommerce_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-8117 is a Reflected Cross-Site Scripting (XSS) vulnerability found in the Pizzafy Ecommerce System version 1.0, specifically in the /admin/index.php file.
The vulnerability occurs because the user input for the "page" parameter is not properly sanitized or encoded before being displayed on the web page.
Attackers can exploit this flaw by injecting malicious JavaScript code through the "page" parameter, which then executes in the context of the affected page.
How can this vulnerability impact me? :
Exploitation of this vulnerability can lead to several security issues including session hijacking, theft of user session cookies, and capture of sensitive user inputs such as login credentials.
Additionally, attackers may modify the appearance or content of the affected web page, potentially misleading users or damaging the website's integrity.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the "page" parameter in the /admin/index.php URL for reflected cross-site scripting (XSS) issues. You can attempt to inject a simple JavaScript payload into the "page" parameter and observe if it is executed or reflected unsanitized in the response.
- Use curl or wget to send a request with a test XSS payload, for example: curl -i "http://target/admin/index.php?page=<script>alert('XSS')</script>"
- Use a web proxy tool like Burp Suite or OWASP ZAP to intercept and modify requests to the "page" parameter and check for script execution or reflected input.
- Look for unusual script execution or alert popups when accessing the manipulated URL in a browser.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include implementing proper output encoding and strict input validation on the "page" parameter to prevent injection of malicious scripts.
Additionally, applying a Content Security Policy (CSP) can help restrict the execution of unauthorized scripts.
Using HttpOnly cookies can reduce the risk of session hijacking by preventing client-side scripts from accessing session cookies.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability is a Reflected Cross-Site Scripting (XSS) issue that allows attackers to execute arbitrary scripts, potentially leading to session hijacking and theft of sensitive user input such as login credentials.
Such exploitation can result in unauthorized access to personal data, which may violate data protection regulations like GDPR and HIPAA that require safeguarding user information against unauthorized disclosure or access.
Therefore, this vulnerability could negatively impact compliance with these standards by exposing sensitive user data and failing to ensure adequate security controls.