Cyber Resilience

CVE-2026-7224

Medium

Published: 28 April 2026

Published
28 April 2026
Modified
29 April 2026
KEV Added
Patch
CVSS Score v4 5.5 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0004 13.5th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-7224 is a medium-severity Injection (CWE-74) vulnerability in Sourcecodester (inferred from references). Its CVSS base score is 5.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-7224 is a SQL injection vulnerability affecting SourceCodester Pizzafy Ecommerce System 1.0. The flaw resides in the delete_cart function within the file /admin/ajax.php?action=delete_cart, where manipulation of the ID argument triggers the injection. It is classified under CWE-74 (Injection) and CWE-89 (SQL Injection), with a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating high severity.

Remote attackers can exploit this vulnerability without requiring privileges or user interaction. By sending crafted requests to the affected endpoint, they can inject malicious SQL payloads via the ID parameter, potentially leading to unauthorized data access, modification, or deletion, with low impacts on confidentiality, integrity, and availability.

Advisories provide further details on the issue, including a GitHub submission at https://github.com/fernando-mengali/vulndb-submissions/blob/main/01-vul-SQLI.md and VulDB entries at https://vuldb.com/vuln/359824 and https://vuldb.com/submit/802387. The vendor site is available at https://www.sourcecodester.com/. No specific patches are detailed in the provided information.

An exploit for this vulnerability has been publicly released, enabling its use in attacks.

EU & UK References

Vulnerability details

A security flaw has been discovered in SourceCodester Pizzafy Ecommerce System 1.0. This affects the function delete_cart of the file /admin/ajax.php?action=delete_cart. Performing a manipulation of the argument ID results in sql injection. The attack may be initiated remotely. The exploit…

more

has been released to the public and may be used for attacks.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The SQL injection vulnerability in the public-facing Pizzafy Ecommerce web application (exposed via /admin/ajax.php) directly enables remote exploitation without authentication, mapping to T1190 for initial access and database manipulation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-3150Shared CWE-74, CWE-89
CVE-2026-3746Shared CWE-74, CWE-89
CVE-2025-2683Shared CWE-74, CWE-89
CVE-2026-5238Shared CWE-74, CWE-89
CVE-2026-4288Shared CWE-74, CWE-89
CVE-2026-2220Shared CWE-74, CWE-89
CVE-2025-1535Shared CWE-74, CWE-89
CVE-2026-0597Shared CWE-74, CWE-89
CVE-2026-1688Shared CWE-74, CWE-89
CVE-2026-5018Shared CWE-74, CWE-89

Affected Assets

Sourcecodester
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 directly prevents SQL injection by requiring validation of untrusted inputs like the ID parameter in the delete_cart function of /admin/ajax.php.

prevent

SI-2 ensures timely remediation of the specific SQL injection flaw through identification, reporting, and patching of the vulnerable code.

detect

RA-5 vulnerability scanning detects the SQL injection vulnerability in the Pizzafy Ecommerce System prior to exploitation.

References