CVE-2026-7295

Name of the Vulnerable Software and Affected Versions SourceCodester Pizzafy Ecommerce System version 1.0

Description Cross site scripting can be triggered remotely via the save menu() function in the '/admin/ajax.php?action=save menu' endpoint. The issue occurs through the manipulation of the Name argument.

Recommendations As a temporary workaround, restrict access to the '/admin/ajax.php?action=save menu' endpoint or avoid using the Name parameter within the save menu() function until a fix is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.