HIGH 7.3

CVE-2026-10704: SourceCodester Pizzafy 1.0 Unauthenticated SQL Injection Admin Bypass

SourceCodester's Pizzafy E-Commerce System version 1.0 contains a SQL injection vulnerability in the administrative login function. An attacker can manipulate the username field during authentication to inject malicious SQL commands, potentially gaining unauthorized database access without needing credentials or user interaction. The vulnerability is network-accessible and exploits are now publicly available.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.3 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Weaknesses (CWE)
CWE-74, CWE-89
Affected products
0 configuration(s)
Published / Modified
2026-06-03 / 2026-06-17

NVD description (verbatim)

A vulnerability was detected in SourceCodester Pizzafy E-Commerce System 1.0. Affected by this vulnerability is the function Login of the file /admin/admin_class_novo.php of the component Administrative Control Panel. The manipulation of the argument Username results in sql injection. The attack can be executed remotely. The exploit is now public and may be used.

6 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-10704 is a remote SQL injection flaw in the Login function of /admin/admin_class_novo.php within the Administrative Control Panel component. The vulnerability arises from insufficient input validation on the Username parameter, allowing an attacker to craft SQL queries that execute arbitrary database commands. This classic injection attack (CWE-89) combined with improper input handling (CWE-74) creates a direct path to database compromise. The attack requires no authentication, no special privileges, and no user interaction—attackers can exploit it directly over the network.

Business impact

Successful exploitation allows attackers to bypass administrative authentication controls entirely, gaining full database access and administrative privileges. This can lead to data theft (customer records, payment information, order histories), unauthorized data modification, deletion of critical e-commerce records, and potential system takeover. For any organization running Pizzafy 1.0 in production, this represents an immediate threat to customer trust, regulatory compliance (PCI-DSS, GDPR), and business continuity.

Affected systems

SourceCodester Pizzafy E-Commerce System version 1.0 is directly affected. This includes all deployments of this version whether hosted on-premises or in cloud environments. Organizations should audit their infrastructure to identify all instances of Pizzafy 1.0, including development, staging, and production environments, as the administrative panel is typically exposed internally or semi-publicly.

Exploitability

Exploitability is high. The attack has a CVSS score of 7.3 (HIGH severity) with a network attack vector, low attack complexity, and no authentication required. Public exploits are confirmed to exist, significantly lowering the barrier to entry for threat actors. The vulnerability requires only network access to the administrative login endpoint—no special tools, social engineering, or advanced techniques are necessary. Given public availability of proof-of-concept code, active exploitation is likely already occurring.

Remediation

Immediate action is required. Organizations running Pizzafy E-Commerce System 1.0 must prioritize patching or upgrading to a patched version. Verify the latest security advisory from SourceCodester for available patches or upgrade paths. In parallel, implement compensating controls: restrict administrative interface access via firewall rules, VPN, or IP whitelisting; deploy a Web Application Firewall (WAF) configured to detect and block SQL injection patterns in login requests; monitor administrative login attempts for anomalous activity; and rotate all administrative credentials immediately upon remediation.

Patch guidance

Check the SourceCodester security advisory for available patches addressing this SQL injection. Patches should validate and sanitize all user input, use parameterized queries for database interactions, and implement proper input encoding. If patches are not yet available, prioritize upgrading to the next stable release of Pizzafy that includes this fix. Test patches in a non-production environment before deployment. Coordinate patching with your change management process to minimize downtime, but given the severity and active exploitation risk, expedited deployment is warranted.

Detection guidance

Monitor web server and application logs for SQL injection indicators in the /admin/admin_class_novo.php endpoint, including unusual characters (single quotes, comment operators like --, OR, UNION) in username parameters. Enable database query logging and audit trails to detect anomalous SQL commands. Search for HTTP requests to the admin login function containing SQL keywords or encoded payloads. Implement alerting for failed login attempts followed by unusual database activity. Check firewall and IDS/IPS logs for traffic patterns consistent with SQL injection fuzzing or exploitation attempts targeting the administrative panel.

Why prioritize this

This vulnerability warrants immediate attention due to the combination of high severity (CVSS 7.3), complete absence of authentication requirements, public exploit availability, and direct impact on administrative security. SQL injection against an admin login function is one of the highest-impact vulnerability classes—it bypasses all security controls downstream. Any organization using Pizzafy 1.0 should treat this as a critical security incident requiring emergency response coordination.

Risk score, explained

The CVSS 3.1 score of 7.3 reflects the network accessibility (AV:N), low attack complexity (AC:L), absence of privilege or interaction requirements (PR:N, UI:N), and integrity/confidentiality/availability impact across the system scope. The score appropriately captures that an unauthenticated attacker can remotely compromise database confidentiality, modify data, and disrupt service. The high severity rating aligns with the public exploit availability and the administrative context of the vulnerable component.

Frequently asked questions

Do I need to be authenticated to exploit this vulnerability?

No. The vulnerability exists in the login function itself, meaning an attacker can inject SQL before authentication occurs. This is what makes it particularly dangerous—it bypasses the authentication layer entirely.

What can an attacker do if they successfully exploit this?

An attacker gains database-level access with the privileges of the database account used by the application. This typically means reading all customer data, orders, payment information; modifying or deleting records; and potentially executing commands on the underlying system depending on database configuration.

Is this vulnerability in the CISA KEV catalog?

As of the current data, this vulnerability has not been added to CISA's Known Exploited Vulnerabilities catalog, though public exploits are confirmed to exist. CISA's inclusion status may change as the threat landscape evolves.

What if I'm running a version other than 1.0?

Check SourceCodester's security advisories to determine if your version is affected. While this CVE specifically references version 1.0, similar SQL injection issues could exist in other versions. Review their patch release notes carefully.

This analysis is provided for informational purposes to support security decision-making. While the vulnerability details and CVSS score are based on authoritative CVE data, organizations should verify specific patch availability, compatibility, and deployment timelines with SourceCodester's official security advisories. SEC.co makes no warranty regarding the completeness or real-time accuracy of exploit availability claims. Always test patches in non-production environments before production deployment. This explainer does not constitute legal advice, and organizations remain responsible for their own security posture and compliance obligations. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).