CVE-2026-7224: SQL Injection in SourceCodester Pizzafy Ecommerce System
The National Vulnerability Database reports a high-severity SQL injection vulnerability, CVE-2026-7224, impacting SourceCodester Pizzafy Ecommerce System version 1.0. This flaw resides in the delete_cart function within /admin/ajax.php?action=delete_cart, allowing remote attackers to manipulate the ID argument and execute arbitrary SQL queries. With a CVSS score of 7.3 (HIGH), this vulnerability presents a significant risk.
Attackers can exploit this remotely, and public exploit code is already available. The ability to inject SQL directly into the application’s database backend means potential for data exfiltration, modification, or even complete database compromise. This is a direct path to sensitive customer information, order details, and potentially administrative credentials.
For defenders, the immediate concern is the public availability of exploits. Any organization running SourceCodester Pizzafy Ecommerce System 1.0 is exposed. The vulnerability’s simple exploitation vector (CWE-89) coupled with its impact (CWE-74) makes it a prime target for automated scanning and opportunistic attacks. Patching or implementing robust input validation is critical.
What This Means For You
- If your organization uses SourceCodester Pizzafy Ecommerce System 1.0, you are directly vulnerable to remote SQL injection. Immediately assess your exposure and apply any available patches or implement strong input sanitization for the `ID` parameter in `delete_cart` to prevent data compromise.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-7224: SQL Injection in Pizzafy delete_cart Function
title: CVE-2026-7224: SQL Injection in Pizzafy delete_cart Function
id: scw-2026-04-28-ai-1
status: experimental
level: critical
description: |
Detects attempts to exploit CVE-2026-7224 by targeting the delete_cart function in SourceCodester Pizzafy Ecommerce System. The rule looks for requests to '/admin/ajax.php' with the action 'delete_cart' and a manipulated 'ID' parameter containing common SQL injection patterns like ' OR '1=1'.
author: SCW Feed Engine (AI-generated)
date: 2026-04-28
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-7224/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/admin/ajax.php?action=delete_cart'
cs-uri-query|contains:
- 'ID=';
cs-uri-query|contains:
- ' OR ';
cs-uri-query|contains:
- '1=1';
condition: cs-uri AND cs-uri-query
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-7224 | SQLi | SourceCodester Pizzafy Ecommerce System 1.0 |
| CVE-2026-7224 | SQLi | CWE-89 |
| CVE-2026-7224 | SQLi | /admin/ajax.php?action=delete_cart |
| CVE-2026-7224 | SQLi | Vulnerable function: delete_cart |
| CVE-2026-7224 | SQLi | Vulnerable argument: ID |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | April 28, 2026 at 09:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-7234: Path Traversal Flaw in BrowserOperator Core Exposes Users
CVE-2026-7234 — A weakness has been identified in BrowserOperator browser-operator-core up to 0.6.0. Affected is the function startsWith of the file scripts/component_server/server.js. Executing a manipulation...
CVE-2026-7230 — SourceCodester Safety Anger Pad Vulnerability
CVE-2026-7230 — A vulnerability was found in SourceCodester Safety Anger Pad 1.0. The affected element is an unknown function. The manipulation of the argument angerDisplay...
CVE-2026-7229 — Code-Projects Coaching Management System SQL Injection
CVE-2026-7229 — A vulnerability was found in code-projects Coaching Management System 1.0. This affects an unknown function of the file /cims/modules/admin/reply.php of the component POST...