{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-7294", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-04-28T10:26:00.761Z", "datePublished": "2026-04-28T18:00:13.486Z", "dateUpdated": "2026-04-28T18:00:13.486Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-28T18:00:13.486Z"}, "title": "SourceCodester Pizzafy Ecommerce System index.php save_settings cross site scripting", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-79", "lang": "en", "description": "Cross Site Scripting"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-94", "lang": "en", "description": "Code Injection"}]}], "affected": [{"vendor": "SourceCodester", "product": "Pizzafy Ecommerce System", "versions": [{"version": "1.0", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "A flaw has been found in SourceCodester Pizzafy Ecommerce System 1.0. Affected by this vulnerability is the function save_settings of the file /admin/index.php?page=save_settings. This manipulation of the argument Name causes cross site scripting. The attack may be initiated remotely. The exploit has been published and may be used."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 4.8, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 2.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R", "baseSeverity": "LOW"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 2.4, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R", "baseSeverity": "LOW"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 3.3, "vectorString": "AV:N/AC:L/Au:M/C:N/I:P/A:N/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-04-28T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-04-28T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-04-28T12:31:28.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "r3du (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/vuln/359954", "name": "VDB-359954 | SourceCodester Pizzafy Ecommerce System index.php save_settings cross site scripting", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/359954/cti", "name": "VDB-359954 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/803172", "name": "Submit #803172 | SourceCodester Pizzafy Ecommerce System 1.0 Cross Site Scripting", "tags": ["third-party-advisory"]}, {"url": "https://github.com/joaodrmmd/VulDB-Reports/blob/main/XSS%20-%20Config.pdf", "tags": ["exploit"]}, {"url": "https://www.sourcecodester.com/", "tags": ["product"]}], "tags": ["x_freeware"]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw has been found in SourceCodester Pizzafy Ecommerce System 1.0. Affected by this vulnerability is the function save_settings of the file /admin/index.php?page=save_settings. This manipulation of the argument Name causes cross site scripting. The attack may be initiated remotely. The exploit has been published and may be used."}], "id": "CVE-2026-7294", "lastModified": "2026-04-29T01:00:01.613", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "MULTIPLE", "availabilityImpact": "NONE", "baseScore": 3.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:M/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.4, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2.4, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 1.9, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-04-28T19:37:48.770", "references": [{"source": "cna@vuldb.com", "url": "https://github.com/joaodrmmd/VulDB-Reports/blob/main/XSS%20-%20Config.pdf"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/803172"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/359954"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/359954/cti"}, {"source": "cna@vuldb.com", "url": "https://www.sourcecodester.com/"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-94"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "1.0"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Pizzafy Ecommerce System", "source": "cna", "vendor": "SourceCodester"}, "product": "pizzafy_ecommerce_system", "vendor": "sourcecodester"}], "analysis": {"en": {"generated_at": "2026-04-28T23:10:18.043951+00:00", "value": {"mitigation_remediation": ["Upgrade SourceCodester Pizzafy Ecommerce System to a patched release or apply any vendor\u2011issued security update for the save_settings module.", "Ensure that all user\u2011supplied data, especially the Name parameter in save_settings, is properly sanitized or escaped before rendering to the browser, using built\u2011in PHP functions such as htmlspecialchars or a framework\u2019s sanitization utilities.", "Deploy a Web Application Firewall or configure Content Security Policy headers for the administrative area to block or mitigate reflected XSS payloads on the affected endpoint."], "summary": {"action": "Apply Fix", "impact": "Remote Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "This issue affects the 1.0 release of the SourceCodester Pizzafy Ecommerce System. Any instance running this version, or earlier releases that have not applied the fix, is susceptible. The vendor is SourceCodester and the affected component is the admin index page handling save_settings.", "description_and_impact": "The vulnerability occurs in the save_settings function of SourceCodester Pizzafy Ecommerce System\u2019s administrative page. By manipulating the Name argument, an attacker can inject arbitrary JavaScript that is reflected to the browser, enabling cross\u2011site scripting. The consequence is that a malicious user can execute code within the context of the victim\u2019s session, potentially stealing cookies, hijacking sessions, defacing content, or deflecting traffic. The weakness is classified as CWE\u201179 and also involves potential code injection as per CWE\u201194.", "risk_and_exploitability": "The CVSS score of 4.8 indicates a moderate threat level. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. The attack can be launched remotely and an exploit has already been published, meaning the risk of real\u2011world exploitation is present. Attackers do not need privileged access to the system; simply directing a malicious request to /admin/index.php?page=save_settings with a crafted Name value will trigger the flaw."}}}}, "created": "2026-04-28T22:30:41.315022+00:00", "updated": "2026-04-28T23:15:43.856707+00:00", "vendors": ["sourcecodester", "sourcecodester$PRODUCT$pizzafy_ecommerce_system"]}