CVE-2026-10558
Received Received - Intake
File Inclusion Vulnerability in SourceCodester Pizzafy Ecommerce System

Publication date: 2026-06-02

Last updated on: 2026-06-02

Assigner: VulDB

Description
A vulnerability was detected in SourceCodester Pizzafy Ecommerce System 1.0. Impacted is an unknown function of the file /admin/index.php. Performing a manipulation of the argument page results in file inclusion. The attack is possible to be carried out remotely. The exploit is now public and may be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-02
Last Modified
2026-06-02
Generated
2026-06-02
AI Q&A
2026-06-02
EPSS Evaluated
N/A
NVD
CVE-2026-10558
EUVD
EUVD-2026-33858
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
sourcecodester pizzafy_ecommerce_system 1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-73 The product allows user input to control or influence paths or file names that are used in filesystem operations.
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include preventing direct inclusion of user-supplied input in file system functions and restricting the `page` parameter to allowed values.

  • Implement a whitelist of allowed pages that can be included, rejecting any input that does not match.
  • Use PHP functions like `basename()` to strip directory paths from the `page` parameter to prevent directory traversal.
  • Disable remote file inclusion by setting `allow_url_include` to `Off` in the `php.ini` configuration.
  • Review and sanitize all user inputs before using them in file inclusion functions.

Can you explain this vulnerability to me?

CVE-2026-10558 is a Local File Inclusion (LFI) vulnerability found in the SourceCodester Pizzafy Ecommerce System 1.0, specifically in the admin panel's index.php file. The vulnerability occurs because the 'page' parameter in the URL is not properly validated or sanitized before being used in a PHP include() function. This allows an attacker to manipulate the 'page' argument to traverse directories and include arbitrary files from the server.

By exploiting this, an attacker can read sensitive system files such as /etc/passwd on Linux or C:\Windows\win.ini on Windows, access application source code, or potentially execute arbitrary code if combined with other attacks like file uploads or log poisoning.

The attack is remotely exploitable by modifying the URL to include directory traversal sequences, for example: http://localhost/pizzafy/admin/index.php?page=../../../../../../etc/passwd.

Mitigation involves restricting the pages that can be included by whitelisting allowed values, sanitizing input using functions like basename(), and disabling remote file inclusion in PHP configuration.


How can this vulnerability impact me? :

This vulnerability can have several impacts on your system and data security.

  • Disclosure of sensitive files and information by reading arbitrary files on the server.
  • Exposure of application source code, which can reveal further vulnerabilities or sensitive logic.
  • Potential for Remote Code Execution (RCE) if combined with other attack vectors, allowing attackers to execute arbitrary commands on the server.
  • Compromise of the integrity, confidentiality, and availability of the affected system.

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by testing the vulnerable endpoint for Local File Inclusion (LFI) by manipulating the `page` parameter in the URL to include directory traversal sequences.

  • Use a web browser or a tool like curl to send a request to the vulnerable URL with traversal payloads, for example: `http://localhost/pizzafy/admin/index.php?page=../../../../../../etc/passwd` on Linux or `http://localhost/pizzafy/admin/index.php?page=../../../../../../windows/win.ini` on Windows.
  • Observe the response for inclusion of sensitive file contents or PHP errors indicating file inclusion.
  • Example curl command to test on Linux systems: `curl -i "http://localhost/pizzafy/admin/index.php?page=../../../../../../etc/passwd"`
  • Example curl command to test on Windows systems: `curl -i "http://localhost/pizzafy/admin/index.php?page=../../../../../../windows/win.ini"`

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The vulnerability allows remote attackers to perform Local File Inclusion (LFI) via manipulation of the 'page' parameter in the admin panel, potentially exposing sensitive system files and application source code.

Exposure of sensitive files or unauthorized access to system resources could lead to breaches of confidentiality and integrity, which are critical requirements under standards like GDPR and HIPAA.

If exploited, this vulnerability may result in unauthorized disclosure of personal or protected health information, thereby impacting compliance with data protection regulations.

Mitigations such as input validation, whitelisting, and disabling remote inclusion are necessary to reduce the risk and maintain compliance.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart