A SQL injection vulnerability (CVE-2026-7224) has been discovered in SourceCodester Pizzafy Ecommerce System 1.0. The flaw affects the delete_cart function in /admin/ajax.php?action=delete_cart where manipulation of the ID argument leads to SQL injection. The vulnerability can be exploited remotely and a public exploit has been released, making it actively exploitable. This affects the admin panel functionality of the e-commerce system, potentially allowing attackers to access or manipulate the underlying database.