CVE-2026-7393 PUBLISHED

A vulnerability was found in SourceCodester Pizzafy Ecommerce System 1.0. Affected is the function save_menu of the file /admin/admin_class_novo.php of the component File Extension Handler. Performing a manipulation of the argument img results in unrestricted upload. The attack is possible to be carried out remotely. The exploit has been made public and could be used.

• imad alvi (VulDB User) reporter

• VDB-360118 | SourceCodester Pizzafy Ecommerce System File Extension admin_class_novo.php save_menu unrestricted upload
• VDB-360118 | CTI Indicators (IOB, IOC, TTP, IOA)
• Submit #803522 | SourceCodester Pizzafy Ecommerce System using PHP and MySQL 1.0 Incomplete Identification of Uploaded File Variables
• https://github.com/Xmyronn/Unrestricted-File-Upload-leading-to-Remote-Code-Execution-in-Pizzafy-Ecommerce-System.git
• https://www.sourcecodester.com/

• Unrestricted Upload CWE
• Improper Access Controls CWE