CVE-2026-7224
Published: 28 April 2026
Summary
CVE-2026-7224 is a medium-severity Injection (CWE-74) vulnerability in Sourcecodester (inferred from references). Its CVSS base score is 5.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-7224 is a SQL injection vulnerability affecting SourceCodester Pizzafy Ecommerce System 1.0. The flaw resides in the delete_cart function within the file /admin/ajax.php?action=delete_cart, where manipulation of the ID argument triggers the injection. It is classified under CWE-74 (Injection) and CWE-89 (SQL Injection), with a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating high severity.
Remote attackers can exploit this vulnerability without requiring privileges or user interaction. By sending crafted requests to the affected endpoint, they can inject malicious SQL payloads via the ID parameter, potentially leading to unauthorized data access, modification, or deletion, with low impacts on confidentiality, integrity, and availability.
Advisories provide further details on the issue, including a GitHub submission at https://github.com/fernando-mengali/vulndb-submissions/blob/main/01-vul-SQLI.md and VulDB entries at https://vuldb.com/vuln/359824 and https://vuldb.com/submit/802387. The vendor site is available at https://www.sourcecodester.com/. No specific patches are detailed in the provided information.
An exploit for this vulnerability has been publicly released, enabling its use in attacks.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-25988
Vulnerability details
A security flaw has been discovered in SourceCodester Pizzafy Ecommerce System 1.0. This affects the function delete_cart of the file /admin/ajax.php?action=delete_cart. Performing a manipulation of the argument ID results in sql injection. The attack may be initiated remotely. The exploit…
more
has been released to the public and may be used for attacks.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The SQL injection vulnerability in the public-facing Pizzafy Ecommerce web application (exposed via /admin/ajax.php) directly enables remote exploitation without authentication, mapping to T1190 for initial access and database manipulation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 directly prevents SQL injection by requiring validation of untrusted inputs like the ID parameter in the delete_cart function of /admin/ajax.php.
SI-2 ensures timely remediation of the specific SQL injection flaw through identification, reporting, and patching of the vulnerable code.
RA-5 vulnerability scanning detects the SQL injection vulnerability in the Pizzafy Ecommerce System prior to exploitation.